From: Thomas Weißschuh <thomas@t-8ch.de>
Date: Sun, 22 Jan 2023 03:36:06 +0000 (+0000)
Subject: libblkid: bcachefs: fix member_field_end
X-Git-Tag: v2.39-rc1~130^2~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=efaa44b152d1252866150a1a57e9b890857829b5;p=thirdparty%2Futil-linux.git

libblkid: bcachefs: fix member_field_end

The end of this member is the start of the next one, not the start of
the current one.
---

diff --git a/libblkid/src/superblocks/bcache.c b/libblkid/src/superblocks/bcache.c
index 2480517314..b405480496 100644
--- a/libblkid/src/superblocks/bcache.c
+++ b/libblkid/src/superblocks/bcache.c
@@ -147,7 +147,7 @@ static int probe_bcache (blkid_probe pr, const struct blkid_idmag *mag)
 static unsigned char *member_field_end(
 		const struct bcachefs_sb_field_members *field, size_t idx)
 {
-	return (unsigned char *) &field->members + (sizeof(*field->members) * idx);
+	return (unsigned char *) &field->members + (sizeof(*field->members) * (idx + 1));
 }
 
 static void probe_bcachefs_sb_members(blkid_probe pr,
@@ -162,7 +162,7 @@ static void probe_bcachefs_sb_members(blkid_probe pr,
 	uint8_t i;
 
 	if ((unsigned char *) field + BYTES(field)
-			!= member_field_end(members, bcs->nr_devices))
+			!= member_field_end(members, bcs->nr_devices - 1))
 		return;
 
 	if (member_field_end(members, dev_idx) > sb_end)
diff --git a/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55318 b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55318
new file mode 100644
index 0000000000..36b07a99df
Binary files /dev/null and b/tests/ts/fuzzers/test_blkid_fuzz_files/oss-fuzz-55318 differ