libext2fs: sanity check group argument to ext2fs_clear_{block,inode}_uninit()

Avoid a potential out-of-bounds memory access if the group passed to
ext2fs_clear_block_uninit() or ext2fs_clear_inode_uninit() is greater
than the number of groups in the file system.  This prevents a failure
in resize2fs when to allocate a block when growing the file system
significantly.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/alloc.c b/lib/ext2fs/alloc.c
index ce59e85..f96ac4b 100644 (file)
--- a/lib/ext2fs/alloc.c
+++ b/lib/ext2fs/alloc.c
@@ -41,7 +41,8 @@
  */
 void ext2fs_clear_block_uninit(ext2_filsys fs, dgrp_t group)
 {
-       if (!ext2fs_has_group_desc_csum(fs) ||
+       if (group >= fs->group_desc_count ||
+           !ext2fs_has_group_desc_csum(fs) ||
            !(ext2fs_bg_flags_test(fs, group, EXT2_BG_BLOCK_UNINIT)))
                return;
 
@@ -61,7 +62,8 @@ static void check_inode_uninit(ext2_filsys fs, ext2fs_inode_bitmap map,
 {
        ext2_ino_t      i, ino;
 
-       if (!ext2fs_has_group_desc_csum(fs) ||
+       if (group >= fs->group_desc_count ||
+           !ext2fs_has_group_desc_csum(fs) ||
            !(ext2fs_bg_flags_test(fs, group, EXT2_BG_INODE_UNINIT)))
                return;