libext2fs: add stricter checks on the inode size in ext2fs_open2()

An inode size larger than the block size can cause userspace programs
to crash.

This problem was found using American Fuzzy Lop.

Reported-by: Adam Buchbinder <abuchbinder@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index 0362b283977bc4d5859c79a5d7a9d09c67a33e98..da03bc147de0de3e11487db76df5cebb02488acc 100644 (file)
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -121,6 +121,7 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
        blk64_t         group_block, blk;
        char            *dest, *cp;
        int             group_zero_adjust = 0;
+       int             inode_size;
 #ifdef WORDS_BIGENDIAN
        unsigned int    groups_per_block;
        struct ext2_group_desc *gdp;
@@ -297,7 +298,10 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
                goto cleanup;
        }
        fs->fragsize = fs->blocksize = EXT2_BLOCK_SIZE(fs->super);
-       if (EXT2_INODE_SIZE(fs->super) < EXT2_GOOD_OLD_INODE_SIZE) {
+       inode_size = EXT2_INODE_SIZE(fs->super);
+       if ((inode_size < EXT2_GOOD_OLD_INODE_SIZE) ||
+           (inode_size > fs->blocksize) ||
+           (inode_size & (inode_size - 1))) {
                retval = EXT2_ET_CORRUPT_SUPERBLOCK;
                goto cleanup;
        }