fs/ntfs3: Check if more than chunk-size bytes are written

A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. Signed-off-by: Andrew Ballance <andrewjballance@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
author: Andrew Ballance <andrewjballance@gmail.com> 2024-05-15 07:38:33 -0500
committer: Konstantin Komarov <almaz.alexandrovich@paragon-software.com> 2024-09-03 16:58:39 +0300
commit: 9931122d04c6d431b2c11b5bb7b10f28584067f0 (patch)
tree: 8f1235ef22ecf0f22dfd4cc948f206348e22cd0d /fs/ntfs3/lznt.c
parent: 556bdf27c2dd5c74a9caacbe524b943a6cd42d99 (diff)
download: lwn-9931122d04c6d431b2c11b5bb7b10f28584067f0.tar.gz
lwn-9931122d04c6d431b2c11b5bb7b10f28584067f0.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/ntfs3/lznt.c b/fs/ntfs3/lznt.c
index 4aae598d6d88..fdc9b2ebf341 100644
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,
 
 	/* Do decompression until pointers are inside range. */
 	while (up < unc_end && cmpr < cmpr_end) {
+		// return err if more than LZNT_CHUNK_SIZE bytes are written
+		if (up - unc > LZNT_CHUNK_SIZE)
+			return -EINVAL;
 		/* Correct index */
 		while (unc + s_max_off[index] < up)
 			index += 1;
author	Andrew Ballance <andrewjballance@gmail.com>	2024-05-15 07:38:33 -0500
committer	Konstantin Komarov <almaz.alexandrovich@paragon-software.com>	2024-09-03 16:58:39 +0300
commit	9931122d04c6d431b2c11b5bb7b10f28584067f0 (patch)
tree	8f1235ef22ecf0f22dfd4cc948f206348e22cd0d /fs/ntfs3/lznt.c
parent	556bdf27c2dd5c74a9caacbe524b943a6cd42d99 (diff)
download	lwn-9931122d04c6d431b2c11b5bb7b10f28584067f0.tar.gz lwn-9931122d04c6d431b2c11b5bb7b10f28584067f0.zip