From 9c82a8ca123a4e4028d51f4e38c7c3cfbdc74711 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Thomas=20Wei=C3=9Fschuh?= Date: Thu, 10 Nov 2022 18:35:00 +0100 Subject: [PATCH] libblkid: ntfs: avoid UB in signed shift Fix OSS-Fuzz issue 53142 ( #1886 ) Fix OSS-Fuzz issue 53160 ( #1888 ) --- libblkid/src/superblocks/ntfs.c | 10 +++++++--- .../fuzzers/test_blkid_fuzz_files/oss-fuzz-53142 | Bin 0 -> 1025 bytes .../fuzzers/test_blkid_fuzz_files/oss-fuzz-53160 | Bin 0 -> 1024 bytes 3 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-53142 create mode 100644 tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-53160 diff --git a/libblkid/src/superblocks/ntfs.c b/libblkid/src/superblocks/ntfs.c index b5799c3e33..1c53fd29d8 100644 --- a/libblkid/src/superblocks/ntfs.c +++ b/libblkid/src/superblocks/ntfs.c @@ -135,11 +135,15 @@ static int __probe_ntfs(blkid_probe pr, const struct blkid_idmag *mag, int save_ } } - if (ns->clusters_per_mft_record > 0) + if (ns->clusters_per_mft_record > 0) { mft_record_size = ns->clusters_per_mft_record * sectors_per_cluster * sector_size; - else - mft_record_size = 1 << (0 - ns->clusters_per_mft_record); + } else { + int8_t mft_record_size_shift = 0 - ns->clusters_per_mft_record; + if (mft_record_size_shift < 0 || mft_record_size_shift >= 31) + return 1; + mft_record_size = 1 << mft_record_size_shift; + } nr_clusters = le64_to_cpu(ns->number_of_sectors) / sectors_per_cluster; diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-53142 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-53142 new file mode 100644 index 0000000000000000000000000000000000000000..b671bcd89ff4fec0a4b15452e4bd509bf85d1641 GIT binary patch literal 1025 zc-m7?Q1Ag{E}%dYKu4>F9iVemje3TD F005PR*V+I8 literal 0 Hc-jL100001 diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-53160 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-53160 new file mode 100644 index 0000000000000000000000000000000000000000..b3586ec74864e876f2abf405326dec4964f4f1be GIT binary patch literal 1024 zc-m7?Q1A