From 509da98991e2a3f72042c6b29e538a5269357a80 Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <djwong@kernel.org>
Date: Sun, 6 Jul 2025 11:31:00 -0700
Subject: [PATCH] libext2fs: fix off-by-one bug in punch_extent_blocks

punch_extent_blocks tries to validate its input parameters to make sure
that the physical range of blocks being punched do not go past the end
of the filesystem.  Unfortunately, there's an off-by-one bug in the
valiation, because start==0 count==10 is a perfectly valid range on a
10-block filesystem.

Cc: linux-ext4@vger.kernel.org # v1.46.6
Fixes: 6772d4969e9c90 ("libext2fs: check for invalid blocks in ext2fs_punch_blocks()")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Link: https://lore.kernel.org/r/175182662987.1984706.5292286424808159532.stgit@frogsfrogsfrogs
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 lib/ext2fs/punch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ext2fs/punch.c b/lib/ext2fs/punch.c
index 80c699eb..19b6a378 100644
--- a/lib/ext2fs/punch.c
+++ b/lib/ext2fs/punch.c
@@ -201,7 +201,7 @@ static errcode_t punch_extent_blocks(ext2_filsys fs, ext2_ino_t ino,
 	errcode_t	retval = 0;
 
 	if (free_start < fs->super->s_first_data_block ||
-	    (free_start + free_count) >= ext2fs_blocks_count(fs->super))
+	    (free_start + free_count) > ext2fs_blocks_count(fs->super))
 		return EXT2_ET_BAD_BLOCK_NUM;
 
 	/* No bigalloc?  Just free each block. */
-- 
2.47.2