libext2fs: fix the {set_get}_bitmap_range functions when bitmap->start > 7

The bitmap array's set/get bitmap_range functions were not subtracting
out bitmap->start.  This doesn't matter for normal file systems, since
the bitmap->start is zero or one, and the passed-in starting range is
a multiple of eight, and the starting range is then divided by 8.

But with a non-standard/fuzzed file system, bitmap->start could be
significantly larger, and this could then lead to a array out of
bounds memory reference.

Google-Bug-Id: 147849134
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

1 files changed, 2 insertions, 2 deletions

diff --git a/lib/ext2fs/gen_bitmap.c b/lib/ext2fs/gen_bitmap.c
index c94c21b66..1536d4b3e 100644
--- a/lib/ext2fs/gen_bitmap.c
+++ b/lib/ext2fs/gen_bitmap.c
@@ -418,7 +418,7 @@ errcode_t ext2fs_get_generic_bitmap_range(ext2fs_generic_bitmap gen_bmap,
 	if ((start < bmap->start) || (start+num-1 > bmap->real_end))
 		return EXT2_ET_INVALID_ARGUMENT;
 
-	memcpy(out, bmap->bitmap + (start >> 3), (num+7) >> 3);
+	memcpy(out, bmap->bitmap + ((start - bmap->start) >> 3), (num+7) >> 3);
 	return 0;
 }
 
@@ -435,7 +435,7 @@ errcode_t ext2fs_set_generic_bitmap_range(ext2fs_generic_bitmap gen_bmap,
 	if ((start < bmap->start) || (start+num-1 > bmap->real_end))
 		return EXT2_ET_INVALID_ARGUMENT;
 
-	memcpy(bmap->bitmap + (start >> 3), in, (num+7) >> 3);
+	memcpy(bmap->bitmap + ((start - bmap->start) >> 3), in, (num+7) >> 3);
 	return 0;
 }