fs/ntfs3: Check if more than chunk-size bytes are written

A incorrectly formatted chunk may decompress into
more than LZNT_CHUNK_SIZE bytes and a index out of bounds
will occur in s_max_off.

Signed-off-by: Andrew Ballance <andrewjballance@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index 4aae598d6d884625ca264f3e6c74bdf201505e54..fdc9b2ebf3410e9ae888a5f738190a89d223cfe5 100644 (file)
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
 
        /* Do decompression until pointers are inside range. */
        while (up < unc_end && cmpr < cmpr_end) {
+               // return err if more than LZNT_CHUNK_SIZE bytes are written
+               if (up - unc > LZNT_CHUNK_SIZE)
+                       return -EINVAL;
                /* Correct index */
                while (unc + s_max_off[index] < up)
                        index += 1;