From: Aizal Khan Date: Sun, 5 Jul 2026 08:22:43 +0000 (+0530) Subject: libblkid: (iso9660) fix out-of-bounds read of root dir record X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f2d3f1040550430a720b5e5bdc9f5fa1f09a6b6b;p=thirdparty%2Futil-linux.git libblkid: (iso9660) fix out-of-bounds read of root dir record root_len comes from the on-disk root directory record (rdr+10) and was only rejected when zero. The extent is then mapped for min(root_len, 2048) bytes and the first record is validated by reading rootdata[0], rootdata[32], rootdata[33] and isonum_731(rootdata+2). blkid_probe_get_buffer() only rounds a request up to io_size when the rounded region still fits the probing area, so a root extent sitting in the final partial io_size block of a crafted image returns a buffer of exactly root_len bytes. With root_len between 1 and 33 and rootdata[0] >= 34, the validation reads offsets 32/33 past that buffer. Reject an extent too small to hold the 34-byte record, which the surrounding comment already assumes. Signed-off-by: Aizal Khan --- diff --git a/libblkid/src/superblocks/iso9660.c b/libblkid/src/superblocks/iso9660.c index 4ceaa4aca..3607f04d6 100644 --- a/libblkid/src/superblocks/iso9660.c +++ b/libblkid/src/superblocks/iso9660.c @@ -301,7 +301,13 @@ static int probe_iso9660(blkid_probe pr, const struct blkid_idmag *mag) uint64_t root_off = (uint64_t) root_lba * logical_block_size; const unsigned char *rootdata; - if (root_len == 0) + /* + * A valid root directory holds at least the 34-byte "." + * record inspected below (offsets up to 33). A shorter extent + * cannot be valid and would under-map the buffer, so the fixed + * offset reads must not run before this check. + */ + if (root_len < 34) return 1; rootdata = blkid_probe_get_buffer(pr, root_off,