From: Thomas Weißschuh <thomas@t-8ch.de>
Date: Sat, 21 Jan 2023 05:01:55 +0000 (+0000)
Subject: libblkid: bcachefs: fix endless loop
X-Git-Tag: v2.39-rc1~130^2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6eb7c99b2932a6058a033d0a805e5883d0bb1e9f;p=thirdparty%2Futil-linux.git

libblkid: bcachefs: fix endless loop

When a field has size 0 it will loop forever.

See #2031
---

diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c
index 64ece86471..4848534e60 100644
--- a/libblkid/src/superblocks/bcache.c
+++ b/libblkid/src/superblocks/bcache.c
@@ -183,10 +183,19 @@ static void probe_bcachefs_sb_fields(blkid_probe pr, const struct bcachefs_super
 
 	while (1) {
 		struct bcachefs_sb_field *field = (struct bcachefs_sb_field *) field_addr;
+		uint64_t field_size;
 		int32_t type;
 
 		if ((unsigned char *) field + sizeof(*field) > sb_end)
-			return;
+			break;
+
+		field_size = BYTES(field);
+
+		if (field_size < sizeof(*field))
+			break;
+
+		if ((unsigned char *) field + field_size > sb_end)
+			break;
 
 		type = le32_to_cpu(field->type);
 		if (!type)
diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291
new file mode 100644
index 0000000000..79e2fd0fb5
Binary files /dev/null and b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55291 differ