root_len comes from the on-disk root directory record (rdr+10) and was only rejected when zero. The extent is then mapped for min(root_len, 2048) bytes and the first record is validated by reading rootdata[0], rootdata[32], rootdata[33] and isonum_731(rootdata+2). blkid_probe_get_buffer() only rounds a request up to io_size when the rounded region still fits the probing area, so a root extent sitting in the final partial io_size block of a crafted image returns a buffer of exactly root_len bytes. With root_len between 1 and 33 and rootdata[0] >= 34, the validation reads offsets 32/33 past that buffer. Reject an extent too small to hold the 34-byte record, which the surrounding comment already assumes.
Signed-off-by: Aizal Khan <aizumusheer2@gmail.com>
uint64_t root_off = (uint64_t) root_lba * logical_block_size;
const unsigned char *rootdata;
- if (root_len == 0)
+ /*
+ * A valid root directory holds at least the 34-byte "."
+ * record inspected below (offsets up to 33). A shorter extent
+ * cannot be valid and would under-map the buffer, so the fixed
+ * offset reads must not run before this check.
+ */
+ if (root_len < 34)
return 1;
rootdata = blkid_probe_get_buffer(pr, root_off,