Blame SOURCES/e2fsprogs-1.45.6-libext2fs-fix-potential-buffer-overrun-in-__get_dire.patch

a77133
From b7466a55e89aa6d6a649734f2b1b24a03390bcef Mon Sep 17 00:00:00 2001
a77133
From: Theodore Ts'o <tytso@mit.edu>
a77133
Date: Wed, 26 Aug 2020 16:29:29 -0400
a77133
Subject: [PATCH 08/46] libext2fs: fix potential buffer overrun in
a77133
 __get_dirent_tail()
a77133
Content-Type: text/plain
a77133
a77133
If the file system is corrupted, there is a potential of a read-only
a77133
buffer overrun.  Fortunately, we don't actually use the result of that
a77133
pointer dereference, and the overrun is at most 64k.
a77133
a77133
Google-Bug-Id: #158564737
a77133
Fixes: eb88b751745b ("libext2fs: make ext2fs_dirent_has_tail() more strict")
a77133
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
a77133
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
a77133
---
a77133
 lib/ext2fs/csum.c | 3 +--
a77133
 1 file changed, 1 insertion(+), 2 deletions(-)
a77133
a77133
diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
a77133
index a7172580..2151003b 100644
a77133
--- a/lib/ext2fs/csum.c
a77133
+++ b/lib/ext2fs/csum.c
a77133
@@ -266,12 +266,11 @@ static errcode_t __get_dirent_tail(ext2_filsys fs,
a77133
 	d = dirent;
a77133
 	top = EXT2_DIRENT_TAIL(dirent, fs->blocksize);
a77133
 
a77133
-	rec_len = translate(d->rec_len);
a77133
 	while ((void *) d < top) {
a77133
+		rec_len = translate(d->rec_len);
a77133
 		if ((rec_len < 8) || (rec_len & 0x03))
a77133
 			return EXT2_ET_DIR_CORRUPTED;
a77133
 		d = (struct ext2_dir_entry *)(((char *)d) + rec_len);
a77133
-		rec_len = translate(d->rec_len);
a77133
 	}
a77133
 
a77133
 	if ((void *)d > ((void *)dirent + fs->blocksize))
a77133
-- 
a77133
2.35.1
a77133