From 891b7e97b34395ee4afda6de491c872947da1f53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jpandre@users.sourceforge.net>
Date: Thu, 22 Jul 2010 14:49:46 +0200
Subject: [PATCH] Improved sanity checks on a security descriptor

---
 libntfs-3g/acls.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libntfs-3g/acls.c b/libntfs-3g/acls.c
index eda7a3ad..76cc6ce5 100644
--- a/libntfs-3g/acls.c
+++ b/libntfs-3g/acls.c
@@ -615,7 +615,6 @@ BOOL ntfs_valid_descr(const char *securattr, unsigned int attrsz)
 		 * old revision and no DACL though SE_DACL_PRESENT is set
 		 */
 	if ((attrsz >= sizeof(SECURITY_DESCRIPTOR_RELATIVE))
-		&& (ntfs_attr_size(securattr) <= attrsz)
 		&& (phead->revision == SECURITY_DESCRIPTOR_REVISION)
 		&& (offowner >= sizeof(SECURITY_DESCRIPTOR_RELATIVE))
 		&& ((offowner + 2) < attrsz)
@@ -623,14 +622,15 @@ BOOL ntfs_valid_descr(const char *securattr, unsigned int attrsz)
 		&& ((offgroup + 2) < attrsz)
 		&& (!offdacl
 			|| ((offdacl >= sizeof(SECURITY_DESCRIPTOR_RELATIVE))
-			    && (offdacl < attrsz)))
+			    && (offdacl+sizeof(ACL) < attrsz)))
 		&& (!offsacl
 			|| ((offsacl >= sizeof(SECURITY_DESCRIPTOR_RELATIVE))
-			    && (offsacl < attrsz)))
+			    && (offsacl+sizeof(ACL) < attrsz)))
 		&& !(phead->owner & const_cpu_to_le32(3))
 		&& !(phead->group & const_cpu_to_le32(3))
 		&& !(phead->dacl & const_cpu_to_le32(3))
 		&& !(phead->sacl & const_cpu_to_le32(3))
+		&& (ntfs_attr_size(securattr) <= attrsz)
 		&& ntfs_valid_sid((const SID*)&securattr[offowner])
 		&& ntfs_valid_sid((const SID*)&securattr[offgroup])
 			/*