From: Andrew Ballance Date: Wed, 15 May 2024 12:38:33 +0000 (-0500) Subject: fs/ntfs3: Check if more than chunk-size bytes are written X-Git-Tag: v6.12-rc3~31^2~22 X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=9931122d04c6d431b2c11b5bb7b10f28584067f0;p=linux-block.git fs/ntfs3: Check if more than chunk-size bytes are written A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. Signed-off-by: Andrew Ballance Signed-off-by: Konstantin Komarov --- diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c index 4aae598d6d88..fdc9b2ebf341 100644 --- a/fs/ntfs3/lznt.c +++ b/fs/ntfs3/lznt.c @@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr, /* Do decompression until pointers are inside range. */ while (up < unc_end && cmpr < cmpr_end) { + // return err if more than LZNT_CHUNK_SIZE bytes are written + if (up - unc > LZNT_CHUNK_SIZE) + return -EINVAL; /* Correct index */ while (unc + s_max_off[index] < up) index += 1;