From 74da94f3bf240bb8ad1b57a94a8f94fa3050e906 Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Mon, 17 Jul 2017 19:55:39 -0400
Subject: [PATCH] libext2fs: fix the s_log_block_size check in ext2fs_open()

The s_log_block_check can fail to detect an invalid value if it is
between UINT_MAX-9 and UINT_MAX, which can lead to ext2fs_open()
crashing with a division by zero error.

This bug was found using American Fuzzy Lop: http://lcamtuf.coredump.cx/afl/

Addresses-Debian-Bug: #868489

Reported-by: jwilk@jwilk.net
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 lib/ext2fs/openfs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/ext2fs/openfs.c b/lib/ext2fs/openfs.c
index 93b02ed..0362b28 100644
--- a/lib/ext2fs/openfs.c
+++ b/lib/ext2fs/openfs.c
@@ -275,8 +275,8 @@ errcode_t ext2fs_open2(const char *name, const char *io_options,
 		}
 	}
 
-	if ((fs->super->s_log_block_size + EXT2_MIN_BLOCK_LOG_SIZE) >
-	    EXT2_MAX_BLOCK_LOG_SIZE) {
+	if (fs->super->s_log_block_size >
+	    (unsigned) (EXT2_MAX_BLOCK_LOG_SIZE - EXT2_MIN_BLOCK_LOG_SIZE)) {
 		retval = EXT2_ET_CORRUPT_SUPERBLOCK;
 		goto cleanup;
 	}
-- 
1.8.3.1