From: Dmitry Monakhov <dmonakhov@openvz.org>
Date: Thu, 11 Dec 2014 22:57:12 +0000 (-0500)
Subject: ext2fs: fix integer overflow in rb_get_bmap_range
X-Git-Tag: v1.43-WIP-2015-05-18~124
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e50e985d6ab10cc68e14dccc2083c70ced9b09c3;p=thirdparty%2Fe2fsprogs.git

ext2fs: fix integer overflow in rb_get_bmap_range

bmap_rb_extent is defined as __u64:blk __u64:count.  So count can
exceed INT_MAX on populated filesystems.

TESTCASE: xfstest ext4/004

Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---

diff --git a/lib/ext2fs/blkmap64_rb.c b/lib/ext2fs/blkmap64_rb.c
index 8d1778d61..7964fdb8c 100644
--- a/lib/ext2fs/blkmap64_rb.c
+++ b/lib/ext2fs/blkmap64_rb.c
@@ -733,8 +733,7 @@ static errcode_t rb_get_bmap_range(ext2fs_generic_bitmap bitmap,
 	struct rb_node *parent = NULL, *next, **n;
 	struct ext2fs_rb_private *bp;
 	struct bmap_rb_extent *ext;
-	int count;
-	__u64 pos;
+	__u64 count, pos;
 
 	bp = (struct ext2fs_rb_private *) bitmap->private;
 	n = &bp->root.rb_node;
@@ -765,9 +764,9 @@ static errcode_t rb_get_bmap_range(ext2fs_generic_bitmap bitmap,
 		if (pos >= start + num)
 			break;
 		if (pos < start) {
-			count -= start - pos;
-			if (count < 0)
+			if (pos + count <  start)
 				continue;
+			count -= start - pos;
 			pos = start;
 		}
 		if (pos + count > start + num)