From 3888c1e84dfe8a3d9a63f53c1f4c6ed56c391f17 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Wed, 11 May 2016 23:23:06 -0400
Subject: [PATCH] libext2fs: sanity check group argument to
 ext2fs_clear_{block,inode}_uninit()

Avoid a potential out-of-bounds memory access if the group passed to
ext2fs_clear_block_uninit() or ext2fs_clear_inode_uninit() is greater
than the number of groups in the file system.  This prevents a failure
in resize2fs when to allocate a block when growing the file system
significantly.

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 lib/ext2fs/alloc.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/ext2fs/alloc.c b/lib/ext2fs/alloc.c
index ce59e85..f96ac4b 100644
--- a/lib/ext2fs/alloc.c
+++ b/lib/ext2fs/alloc.c
@@ -41,7 +41,8 @@
  */
 void ext2fs_clear_block_uninit(ext2_filsys fs, dgrp_t group)
 {
-	if (!ext2fs_has_group_desc_csum(fs) ||
+	if (group >= fs->group_desc_count ||
+	    !ext2fs_has_group_desc_csum(fs) ||
 	    !(ext2fs_bg_flags_test(fs, group, EXT2_BG_BLOCK_UNINIT)))
 		return;
 
@@ -61,7 +62,8 @@ static void check_inode_uninit(ext2_filsys fs, ext2fs_inode_bitmap map,
 {
 	ext2_ino_t	i, ino;
 
-	if (!ext2fs_has_group_desc_csum(fs) ||
+	if (group >= fs->group_desc_count ||
+	    !ext2fs_has_group_desc_csum(fs) ||
 	    !(ext2fs_bg_flags_test(fs, group, EXT2_BG_INODE_UNINIT)))
 		return;
 
-- 
1.8.3.1