From 8adc9c618496d2c99b0bdc5bd7db6d59a86c513b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jpandre@users.sourceforge.net>
Date: Mon, 17 May 2021 15:35:02 +0300
Subject: [PATCH] Hardened consistency checks of MFT records

Check the record is properly aligned and does not flow beyond the
expected end of the record.
---
 libntfs-3g/mft.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/libntfs-3g/mft.c b/libntfs-3g/mft.c
index 33b832a9..267f7306 100644
--- a/libntfs-3g/mft.c
+++ b/libntfs-3g/mft.c
@@ -240,7 +240,19 @@ int ntfs_mft_record_check(const ntfs_volume *vol, const MFT_REF mref,
 			       le32_to_cpu(m->bytes_allocated));
 		goto err_out;
 	}
-	
+	if (le32_to_cpu(m->bytes_in_use) > vol->mft_record_size) {
+		ntfs_log_error("Record %llu has corrupt in-use size "
+			       "(%u > %u)\n", (unsigned long long)MREF(mref),
+			       (int)le32_to_cpu(m->bytes_in_use),
+			       (int)vol->mft_record_size);
+		goto err_out;
+	}
+	if (le16_to_cpu(m->attrs_offset) & 7) {
+		ntfs_log_error("Attributes badly aligned in record %llu\n",
+			       (unsigned long long)MREF(mref));
+		goto err_out;
+	}
+
 	a = (ATTR_RECORD *)((char *)m + le16_to_cpu(m->attrs_offset));
 	if (p2n(a) < p2n(m) || (char *)a > (char *)m + vol->mft_record_size) {
 		ntfs_log_error("Record %llu is corrupt\n",