libext2fs: fix the s_log_block_size check in ext2fs_open()

The s_log_block_check can fail to detect an invalid value if it is
between UINT_MAX-9 and UINT_MAX, which can lead to ext2fs_open()
crashing with a division by zero error.

This bug was found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/

Addresses-Debian-Bug: #868489

Reported-by: jwilk@jwilk.net
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index 93b02ed86a8af32aaa9e452e40f28726b4792714..0362b283977bc4d5859c79a5d7a9d09c67a33e98 100644 (file)
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -275,8 +275,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
                }
        }
 
-       if ((fs->super->s_log_block_size + EXT2_MIN_BLOCK_LOG_SIZE) >
-           EXT2_MAX_BLOCK_LOG_SIZE) {
+       if (fs->super->s_log_block_size >
+           (unsigned) (EXT2_MAX_BLOCK_LOG_SIZE - EXT2_MIN_BLOCK_LOG_SIZE)) {
                retval = EXT2_ET_CORRUPT_SUPERBLOCK;
                goto cleanup;
        }