libext2fs: verify the block numbers for the allocation bitmaps are valid

This avoids a potential UBsan failure when we multiply an insanely
high block number with the block size and we get a multiplication
overflow.

Google-Bug-Id: 128130353
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/rw_bitmaps.c b/lib/ext2fs/rw_bitmaps.c
index e092cab004718b837057e4177c3b1706fb0e0f06..d80c9eb8f9d7c0c56625e0de6a53972addddf50b 100644 (file)
--- a/lib/ext2fs/rw_bitmaps.c
+++ b/lib/ext2fs/rw_bitmaps.c
@@ -306,9 +306,10 @@ static errcode_t read_bitmaps(ext2_filsys fs, int do_inode, int do_block)
        for (i = 0; i < fs->group_desc_count; i++) {
                if (block_bitmap) {
                        blk = ext2fs_block_bitmap_loc(fs, i);
-                       if (csum_flag &&
-                           ext2fs_bg_flags_test(fs, i, EXT2_BG_BLOCK_UNINIT) &&
-                           ext2fs_group_desc_csum_verify(fs, i))
+                       if ((csum_flag &&
+                            ext2fs_bg_flags_test(fs, i, EXT2_BG_BLOCK_UNINIT) &&
+                            ext2fs_group_desc_csum_verify(fs, i)) ||
+                           (blk >= ext2fs_blocks_count(fs->super)))
                                blk = 0;
                        if (blk) {
                                retval = io_channel_read_blk64(fs->io, blk,
@@ -340,9 +341,10 @@ static errcode_t read_bitmaps(ext2_filsys fs, int do_inode, int do_block)
                }
                if (inode_bitmap) {
                        blk = ext2fs_inode_bitmap_loc(fs, i);
-                       if (csum_flag &&
-                           ext2fs_bg_flags_test(fs, i, EXT2_BG_INODE_UNINIT) &&
-                           ext2fs_group_desc_csum_verify(fs, i))
+                       if ((csum_flag &&
+                            ext2fs_bg_flags_test(fs, i, EXT2_BG_INODE_UNINIT) &&
+                            ext2fs_group_desc_csum_verify(fs, i)) ||
+                           (blk >= ext2fs_blocks_count(fs->super)))
                                blk = 0;
                        if (blk) {
                                retval = io_channel_read_blk64(fs->io, blk,