diff options
Diffstat (limited to 'fs/udf/inode.c')
-rw-r--r-- | fs/udf/inode.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 287cd5f23421..142d29e3ccdf 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1496,6 +1496,22 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) iinfo->i_checkpoint = le32_to_cpu(efe->checkpoint); } + /* + * Sanity check length of allocation descriptors and extended attrs to + * avoid integer overflows + */ + if (iinfo->i_lenEAttr > inode->i_sb->s_blocksize + || iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { + make_bad_inode(inode); + return; + } + /* Now do exact checks */ + if (udf_file_entry_alloc_offset(inode) + + iinfo->i_lenAlloc > inode->i_sb->s_blocksize) { + make_bad_inode(inode); + return; + } + switch (fe->icbTag.fileType) { case ICBTAG_FILE_TYPE_DIRECTORY: inode->i_op = &udf_dir_inode_operations; |