From d1ccc6e58bf80d07c131f074f1222a67c82bc6af Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Mon, 16 Oct 2017 00:28:45 -0400
Subject: [PATCH] libext2fs: fix potential memory access overrun in
 ext2fs_inode_csum()

If the superblock has a revision level of 0, then s_inode_size is
undefined, and the actual inode size is 128 bytes.  This is handled by
the EXT2_INODE_SIZE() helper macro.  If s_inode_size is maliciously
set to a large value, and the s_rev_level is 0, then this could result
in an illegal memory pointer dereference.

Addresses-Debian-Bug: #878104
Reported-by: Jakub Wilk <jwilk@jwilk.net>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 lib/ext2fs/csum.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ext2fs/csum.c b/lib/ext2fs/csum.c
index e67850f..093da04 100644
--- a/lib/ext2fs/csum.c
+++ b/lib/ext2fs/csum.c
@@ -632,7 +632,7 @@ static errcode_t ext2fs_inode_csum(ext2_filsys fs, ext2_ino_t inum,
 {
 	__u32 gen;
 	struct ext2_inode_large *desc = inode;
-	size_t size = fs->super->s_inode_size;
+	size_t size = EXT2_INODE_SIZE(fs->super);
 	__u16 old_lo;
 	__u16 old_hi = 0;
 
-- 
1.8.3.1