diff options
author | Theodore Ts'o <tytso@mit.edu> | 2020-03-20 15:24:18 -0400 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2020-03-20 15:24:18 -0400 |
commit | 23c6ef3de362aa291a15cc21a8a82a534a785fde (patch) | |
tree | 340f3d1234bcebee76396098f197dc6fdf41a715 | |
parent | 125850eb92f042c76b6f001bf63833ffc15e7916 (diff) | |
download | e2fsprogs-23c6ef3de362aa291a15cc21a8a82a534a785fde.tar.gz |
libext2fs: fix the {set_get}_bitmap_range functions when bitmap->start > 7
The bitmap array's set/get bitmap_range functions were not subtracting
out bitmap->start. This doesn't matter for normal file systems, since
the bitmap->start is zero or one, and the passed-in starting range is
a multiple of eight, and the starting range is then divided by 8.
But with a non-standard/fuzzed file system, bitmap->start could be
significantly larger, and this could then lead to a array out of
bounds memory reference.
Google-Bug-Id: 147849134
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r-- | lib/ext2fs/gen_bitmap.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/ext2fs/gen_bitmap.c b/lib/ext2fs/gen_bitmap.c index c94c21b66..1536d4b3e 100644 --- a/lib/ext2fs/gen_bitmap.c +++ b/lib/ext2fs/gen_bitmap.c @@ -418,7 +418,7 @@ errcode_t ext2fs_get_generic_bitmap_range(ext2fs_generic_bitmap gen_bmap, if ((start < bmap->start) || (start+num-1 > bmap->real_end)) return EXT2_ET_INVALID_ARGUMENT; - memcpy(out, bmap->bitmap + (start >> 3), (num+7) >> 3); + memcpy(out, bmap->bitmap + ((start - bmap->start) >> 3), (num+7) >> 3); return 0; } @@ -435,7 +435,7 @@ errcode_t ext2fs_set_generic_bitmap_range(ext2fs_generic_bitmap gen_bmap, if ((start < bmap->start) || (start+num-1 > bmap->real_end)) return EXT2_ET_INVALID_ARGUMENT; - memcpy(bmap->bitmap + (start >> 3), in, (num+7) >> 3); + memcpy(bmap->bitmap + ((start - bmap->start) >> 3), in, (num+7) >> 3); return 0; } |