From f3999a74c68b26d04d6d34302d8d5dcb8e3ac56d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jpandre@users.sourceforge.net>
Date: Mon, 12 Jul 2021 08:31:17 +0200
Subject: [PATCH] Fixed consistency check of MFT attributes in ntfsfix

The consistency check could be defeated as a consequence of integer overflow.
Reorganize it to avoid such situations.
---
 ntfsprogs/ntfsfix.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ntfsprogs/ntfsfix.c b/ntfsprogs/ntfsfix.c
index da92fadc..b214068f 100644
--- a/ntfsprogs/ntfsfix.c
+++ b/ntfsprogs/ntfsfix.c
@@ -780,16 +780,19 @@ static ATTR_RECORD *find_unnamed_attr(MFT_RECORD *mrec, ATTR_TYPES type)
 {
 	ATTR_RECORD *a;
 	u32 offset;
+	s32 space;
 
 			/* fetch the requested attribute */
 	offset = le16_to_cpu(mrec->attrs_offset);
+	space = le32_to_cpu(mrec->bytes_in_use) - offset;
 	a = (ATTR_RECORD*)((char*)mrec + offset);
-	while (((offset + le32_to_cpu(a->length))
-			< le32_to_cpu(mrec->bytes_in_use))
-	    && !(le32_to_cpu(a->length) & 7)
+	while ((space >= (s32)offsetof(ATTR_RECORD, resident_end))
 	    && (a->type != AT_END)
+	    && (le32_to_cpu(a->length) <= (u32)space)
+	    && !(le32_to_cpu(a->length) & 7)
 	    && ((a->type != type) || a->name_length)) {
 		offset += le32_to_cpu(a->length);
+		space -= le32_to_cpu(a->length);
 		a = (ATTR_RECORD*)((char*)mrec + offset);
 	}
 	if ((offset >= le32_to_cpu(mrec->bytes_in_use))