blk_off is read from image. Attacker can construct an image with big
blk_off that trigger overflow on se->cur_valid_map.
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
struct seg_entry *se;
int j, nblocks;
+ if ((curseg->next_blkoff >> 3) >= SIT_VBLOCK_MAP_SIZE)
+ return -EINVAL;
se = get_seg_entry(sbi, curseg->segno);
if (f2fs_test_bit(curseg->next_blkoff,
(const char *)se->cur_valid_map)) {