Fix e2fsck segfault on very badly damaged filesystems

A recent change to e2fsck_add_dir_info() to use tdb files to check
filesystems with a very large number of filesystems had a typo which
caused us to resize the wrong data structure.  This would cause a
array overrun leading to malloc pointer corruptions.  Since we
normally can very accurately predict how big the the dirinfo array
needs to be, this bug only got triggered on very badly corrupted
filesystems.

Thanks to Andreas Dilger for submitting the test case which discovered
this problem, and to Kalpak Shah for writing a random testing script
which created the test case.

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>

diff --git a/e2fsck/dirinfo.c b/e2fsck/dirinfo.c
index aaa4d09..f583c62 100644 (file)
--- a/e2fsck/dirinfo.c
+++ b/e2fsck/dirinfo.c
@@ -126,7 +126,7 @@ void e2fsck_add_dir_info(e2fsck_t ctx, ext2_ino_t ino, ext2_ino_t parent)
                ctx->dir_info->size += 10;
                retval = ext2fs_resize_mem(old_size, ctx->dir_info->size *
                                           sizeof(struct dir_info),
-                                          &ctx->dir_info);
+                                          &ctx->dir_info->array);
                if (retval) {
                        ctx->dir_info->size -= 10;
                        return;