From 5c002438f27d3dec445fa72c8089ffef7af5a51c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jpandre@users.sourceforge.net>
Date: Mon, 12 Jul 2021 08:31:18 +0200
Subject: [PATCH] Checked that indexes do not exceed the index block size

Make sure the used part of an index block fits into the allocated buffer.
Note : a negative size may cause overflow on 32-bit cpus.
(contributed by Rakesh Pandit)
---
 libntfs-3g/dir.c   | 3 ++-
 libntfs-3g/index.c | 8 ++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/libntfs-3g/dir.c b/libntfs-3g/dir.c
index 0a3c87dd..76c052cf 100644
--- a/libntfs-3g/dir.c
+++ b/libntfs-3g/dir.c
@@ -425,7 +425,8 @@ descend_into_child_node:
 		goto close_err_out;
 	}
 	index_end = (u8*)&ia->index + le32_to_cpu(ia->index.index_length);
-	if (index_end > (u8*)ia + index_block_size) {
+	if (((s32)le32_to_cpu(ia->index.index_length) < 0)
+	    || (index_end > (u8*)ia + index_block_size)) {
 		ntfs_log_error("Size of index buffer (VCN 0x%llx) of directory inode "
 				"0x%llx exceeds maximum size.\n",
 				(long long)vcn, (unsigned long long)dir_ni->mft_no);
diff --git a/libntfs-3g/index.c b/libntfs-3g/index.c
index f804efcc..c8c03481 100644
--- a/libntfs-3g/index.c
+++ b/libntfs-3g/index.c
@@ -421,6 +421,14 @@ static int ntfs_ia_check(ntfs_index_context *icx, INDEX_BLOCK *ib, VCN vcn)
 			       icx->block_size);
 		return -1;
 	}
+	if (((s32)le32_to_cpu(ib->index.index_length) < 0)
+	    || ((u8*)&ib->index + le32_to_cpu(ib->index.index_length) >
+			(u8*)ib + icx->block_size)) {
+		ntfs_log_error("Size of index buffer (%lld) of inode %llu "
+				"exceeds maximum size.\n", (long long)vcn,
+				(unsigned long long)icx->ni->mft_no);
+		return -1;
+	}
 	return 0;
 }