Checked that indexes do not exceed the index block size

Make sure the used part of an index block fits into the allocated buffer. Note : a negative size may cause overflow on 32-bit cpus. (contributed by Rakesh Pandit)
2021-07-12 08:31:18 +02:00 · 2021-07-12 08:31:18 +02:00 · 5c002438f2
parent 20d700841b
commit 5c002438f2
2 changed files with 10 additions and 1 deletions
--- a/libntfs-3g/dir.c
+++ b/libntfs-3g/dir.c
@ -425,7 +425,8 @@ descend_into_child_node:
 		goto close_err_out;
 	}
 	index_end = (u8*)&ia->index + le32_to_cpu(ia->index.index_length);
-	if (index_end > (u8*)ia + index_block_size) {
+	if (((s32)le32_to_cpu(ia->index.index_length) < 0)
+	    || (index_end > (u8*)ia + index_block_size)) {
 		ntfs_log_error("Size of index buffer (VCN 0x%llx) of directory inode "
 				"0x%llx exceeds maximum size.\n",
 				(long long)vcn, (unsigned long long)dir_ni->mft_no);
--- a/libntfs-3g/index.c
+++ b/libntfs-3g/index.c
@ -421,6 +421,14 @@ static int ntfs_ia_check(ntfs_index_context *icx, INDEX_BLOCK *ib, VCN vcn)
 			       icx->block_size);
 		return -1;
 	}
+	if (((s32)le32_to_cpu(ib->index.index_length) < 0)
+	    || ((u8*)&ib->index + le32_to_cpu(ib->index.index_length) >
+			(u8*)ib + icx->block_size)) {
+		ntfs_log_error("Size of index buffer (%lld) of inode %llu "
+				"exceeds maximum size.\n", (long long)vcn,
+				(unsigned long long)icx->ni->mft_no);
+		return -1;
+	}
 	return 0;
 }