libext2fs: verify the block numbers for the allocation bitmaps are valid
This avoids a potential UBsan failure when we multiply an insanely
high block number with the block size and we get a multiplication
overflow.
Google-Bug-Id: 128130353
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
diff --git a/lib/ext2fs/rw_bitmaps.c b/lib/ext2fs/rw_bitmaps.c
index e092cab..d80c9eb 100644
--- a/lib/ext2fs/rw_bitmaps.c
+++ b/lib/ext2fs/rw_bitmaps.c
@@ -306,9 +306,10 @@
for (i = 0; i < fs->group_desc_count; i++) {
if (block_bitmap) {
blk = ext2fs_block_bitmap_loc(fs, i);
- if (csum_flag &&
- ext2fs_bg_flags_test(fs, i, EXT2_BG_BLOCK_UNINIT) &&
- ext2fs_group_desc_csum_verify(fs, i))
+ if ((csum_flag &&
+ ext2fs_bg_flags_test(fs, i, EXT2_BG_BLOCK_UNINIT) &&
+ ext2fs_group_desc_csum_verify(fs, i)) ||
+ (blk >= ext2fs_blocks_count(fs->super)))
blk = 0;
if (blk) {
retval = io_channel_read_blk64(fs->io, blk,
@@ -340,9 +341,10 @@
}
if (inode_bitmap) {
blk = ext2fs_inode_bitmap_loc(fs, i);
- if (csum_flag &&
- ext2fs_bg_flags_test(fs, i, EXT2_BG_INODE_UNINIT) &&
- ext2fs_group_desc_csum_verify(fs, i))
+ if ((csum_flag &&
+ ext2fs_bg_flags_test(fs, i, EXT2_BG_INODE_UNINIT) &&
+ ext2fs_group_desc_csum_verify(fs, i)) ||
+ (blk >= ext2fs_blocks_count(fs->super)))
blk = 0;
if (blk) {
retval = io_channel_read_blk64(fs->io, blk,