From 4a4ec8c1c6aef9a30d9df1455afb5614a6d398f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= Date: Wed, 30 Sep 2015 08:51:20 +0200 Subject: [PATCH] Fixed a bad sanity check in ntfsfix Fix misordered checks to avoid potential segfaults on badly damaged partitions. --- ntfsprogs/ntfsfix.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ntfsprogs/ntfsfix.c b/ntfsprogs/ntfsfix.c index add14d06..d5cbf720 100644 --- a/ntfsprogs/ntfsfix.c +++ b/ntfsprogs/ntfsfix.c @@ -739,13 +739,14 @@ static ATTR_RECORD *find_unnamed_attr(MFT_RECORD *mrec, ATTR_TYPES type) /* fetch the requested attribute */ offset = le16_to_cpu(mrec->attrs_offset); a = (ATTR_RECORD*)((char*)mrec + offset); - while ((a->type != AT_END) - && ((a->type != type) || a->name_length) - && (offset < le32_to_cpu(mrec->bytes_in_use))) { + while ((offset < le32_to_cpu(mrec->bytes_in_use)) + && (a->type != AT_END) + && ((a->type != type) || a->name_length)) { offset += le32_to_cpu(a->length); a = (ATTR_RECORD*)((char*)mrec + offset); } - if ((a->type != type) + if ((offset >= le32_to_cpu(mrec->bytes_in_use)) + || (a->type != type) || a->name_length) a = (ATTR_RECORD*)NULL; return (a);