From bb4456d3397c5eac559c35b2310d0bb02cd15525 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jpandre@users.sourceforge.net>
Date: Mon, 19 Jul 2021 09:23:23 +0200
Subject: [PATCH] Redesigned the INDEX_ROOT consistency checks

By ordering the values from smallest to biggest, there is less chance
to be caught by an arithmetic overflow.
---
 libntfs-3g/attrib.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/libntfs-3g/attrib.c b/libntfs-3g/attrib.c
index f4f31cf6..b831c2bb 100644
--- a/libntfs-3g/attrib.c
+++ b/libntfs-3g/attrib.c
@@ -3496,16 +3496,15 @@ int ntfs_attr_consistent(const ATTR_RECORD *a, const MFT_REF mref)
 			if (a->non_resident
 			    || (le32_to_cpu(a->value_length)
 				< offsetof(INDEX_ROOT, index.reserved))
+			    || (le32_to_cpu(ir->index.entries_offset)
+				< sizeof(INDEX_HEADER))
 			    || (le32_to_cpu(ir->index.index_length)
-					& 0xff000000)
-			    || ((le32_to_cpu(a->value_length)
-				- le32_to_cpu(ir->index.index_length))
-				< offsetof(INDEX_ROOT,index))
-			    || ((le32_to_cpu(a->value_length)
-				- le32_to_cpu(ir->index.index_length))
 				< le32_to_cpu(ir->index.entries_offset))
-			    || (le32_to_cpu(ir->index.index_length)
-				> le32_to_cpu(ir->index.allocated_size))) {
+			    || (le32_to_cpu(ir->index.allocated_size)
+				< le32_to_cpu(ir->index.index_length))
+			    || (le32_to_cpu(a->value_length)
+				< (le32_to_cpu(ir->index.allocated_size)
+				    + offsetof(INDEX_ROOT, reserved)))) {
 				ntfs_log_error("Corrupt index root"
 					" in MFT record %lld.\n",
 					(long long)inum);