From 3956c16d0b1ba2e35b32530de80f68f29c8a8ae8 Mon Sep 17 00:00:00 2001
From: David Sterba <dsterba@suse.com>
Date: Mon, 3 Oct 2016 14:52:30 +0200
Subject: [PATCH] btrfs-progs: image: catch zero length extents, avoid endless
 loop

If an extent is found to have length 0, we'd loop endlessly in
copy_from_extent_tree. Reproduced by fuzzed image
bko-166361-blocksize-zero.raw within test 002-simple-image .

Signed-off-by: David Sterba <dsterba@suse.com>
---
 btrfs-image.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/btrfs-image.c b/btrfs-image.c
index 6bb8d47..bbe4f63 100644
--- a/btrfs-image.c
+++ b/btrfs-image.c
@@ -1264,10 +1264,18 @@ static int copy_from_extent_tree(struct metadump_struct *metadump,
 		}
 
 		bytenr = key.objectid;
-		if (key.type == BTRFS_METADATA_ITEM_KEY)
+		if (key.type == BTRFS_METADATA_ITEM_KEY) {
 			num_bytes = extent_root->nodesize;
-		else
+		} else {
 			num_bytes = key.offset;
+		}
+
+		if (num_bytes == 0) {
+			error("extent length 0 at bytenr %llu key type %d",
+					(unsigned long long)bytenr, key.type);
+			ret = -EIO;
+			break;
+		}
 
 		if (btrfs_item_size_nr(leaf, path->slots[0]) > sizeof(*ei)) {
 			ei = btrfs_item_ptr(leaf, path->slots[0],
-- 
2.7.4