From ed22721459a6b1dd43bb94362d93f214397a512c Mon Sep 17 00:00:00 2001
From: Gao Xiang <hsiangkao@linux.alibaba.com>
Date: Fri, 7 Mar 2025 20:37:18 +0800
Subject: [PATCH] erofs-utils: lib: error out if fragment_off is crafted

Found in some fuzzed images.

Fixes: f511cfbbc0da ("erofs-utils: introduce fragment cache")
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Link: https://lore.kernel.org/r/20250307123718.1535556-1-hsiangkao@linux.alibaba.com
---
 lib/fragments.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/lib/fragments.c b/lib/fragments.c
index 2f5fbf9..05bbf0d 100644
--- a/lib/fragments.c
+++ b/lib/fragments.c
@@ -524,6 +524,11 @@ int erofs_packedfile_read(struct erofs_sb_info *sbi,
 			erofs_blk_t bnr = erofs_blknr(sbi, pos);
 			bool uptodate;
 
+			if (__erofs_unlikely(bnr > (epi->uptodate_size << 3))) {
+				erofs_err("packed inode EOF exceeded @ %llu",
+					  pos | 0ULL);
+				return -EFSCORRUPTED;
+			}
 			map.m_la = round_down(pos, bsz);
 			len = min_t(erofs_off_t, bsz - (pos & (bsz - 1)),
 				    end - pos);
-- 
2.34.1