From 67f959df96136e2922100b8b585d92126438794f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jpandre@users.sourceforge.net>
Date: Mon, 12 Jul 2021 08:31:18 +0200
Subject: [PATCH] Fixed the computation of the end of index entry

The end of an index entry is related to its full length, not to the
length of the key. Added an error message in an overflow case.
---
 libntfs-3g/dir.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/libntfs-3g/dir.c b/libntfs-3g/dir.c
index 76c052cf..d4c8204e 100644
--- a/libntfs-3g/dir.c
+++ b/libntfs-3g/dir.c
@@ -306,10 +306,11 @@ u64 ntfs_inode_lookup_by_name(ntfs_inode *dir_ni,
 		/* Bounds checks. */
 		if ((u8*)ie < (u8*)ctx->mrec || (u8*)ie +
 				sizeof(INDEX_ENTRY_HEADER) > index_end ||
-				(u8*)ie + le16_to_cpu(ie->key_length) >
+				(u8*)ie + le16_to_cpu(ie->length) >
 				index_end) {
-			ntfs_log_error("Index entry out of bounds in inode %lld"
-				       "\n", (unsigned long long)dir_ni->mft_no);
+			ntfs_log_error("Index root entry out of bounds in"
+				" inode %lld\n",
+				(unsigned long long)dir_ni->mft_no);
 			goto put_err_out;
 		}
 		/*
@@ -446,7 +447,7 @@ descend_into_child_node:
 		/* Bounds check. */
 		if ((u8*)ie < (u8*)ia || (u8*)ie +
 				sizeof(INDEX_ENTRY_HEADER) > index_end ||
-				(u8*)ie + le16_to_cpu(ie->key_length) >
+				(u8*)ie + le16_to_cpu(ie->length) >
 				index_end) {
 			ntfs_log_error("Index entry out of bounds in directory "
 				       "inode %lld.\n", 
@@ -1248,9 +1249,13 @@ int ntfs_readdir(ntfs_inode *dir_ni, s64 *pos,
 		/* Bounds checks. */
 		if ((u8*)ie < (u8*)ctx->mrec || (u8*)ie +
 				sizeof(INDEX_ENTRY_HEADER) > index_end ||
-				(u8*)ie + le16_to_cpu(ie->key_length) >
-				index_end)
+				(u8*)ie + le16_to_cpu(ie->length) >
+				index_end) {
+			ntfs_log_error("Index root entry out of bounds in"
+					" inode %lld\n",
+					(unsigned long long)dir_ni->mft_no);
 			goto dir_err_out;
+		}
 		/* The last entry cannot contain a name. */
 		if (ie->ie_flags & INDEX_ENTRY_END)
 			break;
@@ -1408,7 +1413,7 @@ find_next_index_buffer:
 		/* Bounds checks. */
 		if ((u8*)ie < (u8*)ia || (u8*)ie +
 				sizeof(INDEX_ENTRY_HEADER) > index_end ||
-				(u8*)ie + le16_to_cpu(ie->key_length) >
+				(u8*)ie + le16_to_cpu(ie->length) >
 				index_end) {
 			ntfs_log_error("Index entry out of bounds in directory inode "
 				"%lld.\n", (unsigned long long)dir_ni->mft_no);