fsck.f2fs: sanity check segno and blk_off when building curseg array

segno and blk_off were read from input image without sanity check. This
could lead to buffer overflow when accessing internal arrays like SIT
sentries and seg_entry cur_valid_map.

Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>

diff --git a/fsck/mount.c b/fsck/mount.c
index c9c1635..6350ad6 100644 (file)
--- a/fsck/mount.c
+++ b/fsck/mount.c
@@ -1130,6 +1130,9 @@ static void build_curseg(struct f2fs_sb_info *sbi)
                        blk_off = get_cp(cur_node_blkoff[i - CURSEG_HOT_NODE]);
                        segno = get_cp(cur_node_segno[i - CURSEG_HOT_NODE]);
                }
+               ASSERT(segno < TOTAL_SEGS(sbi));
+               ASSERT(blk_off < DEFAULT_BLOCKS_PER_SEGMENT);
+
                array[i].segno = segno;
                array[i].zone = GET_ZONENO_FROM_SEGNO(sbi, segno);
                array[i].next_segno = NULL_SEGNO;