From ac1fceebccf21a7cee9e27b6d29e4e245b143686 Mon Sep 17 00:00:00 2001
From: Jeff Mahoney <jeffm@suse.com>
Date: Tue, 7 Nov 2017 16:31:43 -0500
Subject: [PATCH] LU-10205 libext2fs: fix buffer overrun in
 ext2fs_expand_extra_isize

In ext2fs_expand_extra_isize, we size buffer using 'size' but then
do the memcpy with the rounded-up size, which can overflow the buffer.

With MALLOC_CHECK_=2, I see:
Error in `../e2fsck/e2fsck': free(): invalid pointer: <addr>

Change-Id: I31be58de12d4d50646c7aa96959de0efc5c279c3
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reviewed-on: https://review.whamcloud.com/29975
Reviewed-by: Andreas Dilger <andreas.dilger@intel.com>
Tested-by: Jenkins
Tested-by: Maloo <hpdd-maloo@intel.com>
---
 lib/ext2fs/ext_attr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
index a9d0b62..3fb8d84 100644
--- a/lib/ext2fs/ext_attr.c
+++ b/lib/ext2fs/ext_attr.c
@@ -1032,7 +1032,7 @@ retry:
 		size = entry->e_value_size;
 		entry_size = EXT2_EXT_ATTR_LEN(entry->e_name_len);
 		i.name_index = entry->e_name_index;
-		error = ext2fs_get_mem(size, &buffer);
+		error = ext2fs_get_mem(EXT2_EXT_ATTR_SIZE(size), &buffer);
 		if (error)
 			goto cleanup;
 		error = ext2fs_get_mem(entry->e_name_len + 1, &b_entry_name);
-- 
1.8.3.1