erofs-utils: lib: error out if fragment_off is crafted

Found in some fuzzed images.

Fixes: f511cfbbc0da ("erofs-utils: introduce fragment cache")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250307123718.1535556-1-hsiangkao@linux.alibaba.com

diff --git a/lib/fragments.c b/lib/fragments.c
index 2f5fbf934ff7bd251e11c726027763c51aae7680..05bbf0dc4c066fe602ca047d28e2d94d438894e4 100644 (file)
--- a/lib/fragments.c
+++ b/lib/fragments.c
@@ -524,6 +524,11 @@ int erofs_packedfile_read(struct erofs_sb_info *sbi,
                        erofs_blk_t bnr = erofs_blknr(sbi, pos);
                        bool uptodate;
 
+                       if (__erofs_unlikely(bnr > (epi->uptodate_size << 3))) {
+                               erofs_err("packed inode EOF exceeded @ %llu",
+                                         pos | 0ULL);
+                               return -EFSCORRUPTED;
+                       }
                        map.m_la = round_down(pos, bsz);
                        len = min_t(erofs_off_t, bsz - (pos & (bsz - 1)),
                                    end - pos);