libblkid: bcachefs: fix endless loop

author Thomas Weißschuh <thomas@t-8ch.de>

Sat, 21 Jan 2023 05:01:55 +0000 (05:01 +0000)

committer Thomas Weißschuh <thomas@t-8ch.de>

Sat, 21 Jan 2023 05:19:31 +0000 (05:19 +0000)
author Thomas Weißschuh <thomas@t-8ch.de>
Sat, 21 Jan 2023 05:01:55 +0000 (05:01 +0000)
committer Thomas Weißschuh <thomas@t-8ch.de>
Sat, 21 Jan 2023 05:19:31 +0000 (05:19 +0000)
diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c

index 64ece86471d120727012d6c242429f8c01fde26e..4848534e602be0d1b44f8da2a7835c4cd22aaae3 100644 (file)
--- a/libblkid/src/superblocks/bcache.c
+++ b/libblkid/src/superblocks/bcache.c
@@ -183,10 +183,19 @@ static void probe_bcachefs_sb_fields(blkid_probe pr, const struct bcachefs_super
  
         while (1) {
                 struct bcachefs_sb_field *field = (struct bcachefs_sb_field *) field_addr;
+               uint64_t field_size;
                 int32_t type;
  
                 if ((unsigned char *) field + sizeof(*field) > sb_end)
-                       return;
+                       break;
+
+               field_size = BYTES(field);
+
+               if (field_size < sizeof(*field))
+                       break;
+
+               if ((unsigned char *) field + field_size > sb_end)
+                       break;
  
                 type = le32_to_cpu(field->type);
                 if (!type)
diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291

new file mode 100644 (file)

index 0000000..79e2fd0

Binary files /dev/null and b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291 differ
author	Thomas Weißschuh <thomas@t-8ch.de>
	Sat, 21 Jan 2023 05:01:55 +0000 (05:01 +0000)
committer	Thomas Weißschuh <thomas@t-8ch.de>
	Sat, 21 Jan 2023 05:19:31 +0000 (05:19 +0000)
libblkid/src/superblocks/bcache.c		patch \| blob \| blame \| history
tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291	[new file with mode: 0644]	patch \| blob