The s_log_block_check can fail to detect an invalid value if it is
between UINT_MAX-9 and UINT_MAX, which can lead to ext2fs_open()
crashing with a division by zero error.
This bug was found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/
Addresses-Debian-Bug: #868489
Reported-by: jwilk@jwilk.net
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
}
}
- if ((fs->super->s_log_block_size + EXT2_MIN_BLOCK_LOG_SIZE) >
- EXT2_MAX_BLOCK_LOG_SIZE) {
+ if (fs->super->s_log_block_size >
+ (unsigned) (EXT2_MAX_BLOCK_LOG_SIZE - EXT2_MIN_BLOCK_LOG_SIZE)) {
retval = EXT2_ET_CORRUPT_SUPERBLOCK;
goto cleanup;
}