From: Gao Xiang <hsiangkao@linux.alibaba.com>
Date: Fri, 7 Mar 2025 12:37:18 +0000 (+0800)
Subject: erofs-utils: lib: error out if fragment_off is crafted
X-Git-Tag: accepted/tizen/unified/20250610.081809~28
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ed22721459a6b1dd43bb94362d93f214397a512c;p=platform%2Fupstream%2Ferofs-utils.git

erofs-utils: lib: error out if fragment_off is crafted

Found in some fuzzed images.

Fixes: f511cfbbc0da ("erofs-utils: introduce fragment cache")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250307123718.1535556-1-hsiangkao@linux.alibaba.com
---

diff --git a/lib/fragments.c b/lib/fragments.c
index 2f5fbf9..05bbf0d 100644
--- a/lib/fragments.c
+++ b/lib/fragments.c
@@ -524,6 +524,11 @@ int erofs_packedfile_read(struct erofs_sb_info *sbi,
 			erofs_blk_t bnr = erofs_blknr(sbi, pos);
 			bool uptodate;
 
+			if (__erofs_unlikely(bnr > (epi->uptodate_size << 3))) {
+				erofs_err("packed inode EOF exceeded @ %llu",
+					  pos | 0ULL);
+				return -EFSCORRUPTED;
+			}
 			map.m_la = round_down(pos, bsz);
 			len = min_t(erofs_off_t, bsz - (pos & (bsz - 1)),
 				    end - pos);