diff options
Diffstat (limited to 'fs')
-rw-r--r-- | fs/udf/inode.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 5c996c1..e081440 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c @@ -1401,6 +1401,19 @@ static void udf_fill_inode(struct inode *inode, struct buffer_head *bh) iinfo->i_lenEAttr; } + /* + * Sanity check length of allocation descriptors and extended attrs to + * avoid integer overflows + */ + if (iinfo->i_lenEAttr > bs || iinfo->i_lenAlloc > bs) { + make_bad_inode(inode); + return; + } + /* Now do exact checks */ + if (udf_file_entry_alloc_offset(inode) + iinfo->i_lenAlloc > bs) { + make_bad_inode(inode); + return; + } /* Sanity checks for files in ICB so that we don't get confused later */ if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { /* |