libext2fs: fix the {set_get}_bitmap_range functions when bitmap->start > 7

The bitmap array's set/get bitmap_range functions were not subtracting
out bitmap->start.  This doesn't matter for normal file systems, since
the bitmap->start is zero or one, and the passed-in starting range is
a multiple of eight, and the starting range is then divided by 8.

But with a non-standard/fuzzed file system, bitmap->start could be
significantly larger, and this could then lead to a array out of
bounds memory reference.

Google-Bug-Id: 147849134
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/gen_bitmap.c b/lib/ext2fs/gen_bitmap.c
index c94c21b663dc3aaef09cc0740f0b114d20220232..1536d4b3ea1ce3ea3144dc5a9035b651827bc4ac 100644 (file)
--- a/lib/ext2fs/gen_bitmap.c
+++ b/lib/ext2fs/gen_bitmap.c
@@ -418,7 +418,7 @@ errcode_t ext2fs_get_generic_bitmap_range(ext2fs_generic_bitmap gen_bmap,
        if ((start < bmap->start) || (start+num-1 > bmap->real_end))
                return EXT2_ET_INVALID_ARGUMENT;
 
-       memcpy(out, bmap->bitmap + (start >> 3), (num+7) >> 3);
+       memcpy(out, bmap->bitmap + ((start - bmap->start) >> 3), (num+7) >> 3);
        return 0;
 }
 
@@ -435,7 +435,7 @@ errcode_t ext2fs_set_generic_bitmap_range(ext2fs_generic_bitmap gen_bmap,
        if ((start < bmap->start) || (start+num-1 > bmap->real_end))
                return EXT2_ET_INVALID_ARGUMENT;
 
-       memcpy(bmap->bitmap + (start >> 3), in, (num+7) >> 3);
+       memcpy(bmap->bitmap + ((start - bmap->start) >> 3), in, (num+7) >> 3);
        return 0;
 }