fs/ntfs3: Check if more than chunk-size bytes are written

A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. Signed-off-by: Andrew Ballance <andrewjballance@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>

fs/ntfs3: Check if more than chunk-size bytes are written
A incorrectly formatted chunk may decompress into more than LZNT_CHUNK_SIZE bytes and a index out of bounds will occur in s_max_off. Signed-off-by: Andrew Ballance <andrewjballance@gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
9931122d · Andrew Ballance · Konstantin Komarov · 556bdf27 · 9931122d
Commit 9931122d authored May 15, 2024 by Andrew Ballance Committed by Konstantin Komarov Sep 03, 2024
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

fs/ntfs3/lznt.c fs/ntfs3/lznt.c +3 -0

No files found.
--- a/fs/ntfs3/lznt.c
+++ b/fs/ntfs3/lznt.c
@@ -236,6 +236,9 @@ static inline ssize_t decompress_chunk(u8 *unc, u8 *unc_end, const u8 *cmpr,

 	/* Do decompression until pointers are inside range. */
 	while (up < unc_end && cmpr < cmpr_end) {
+		// return err if more than LZNT_CHUNK_SIZE bytes are written
+		if (up - unc > LZNT_CHUNK_SIZE)
+			return -EINVAL;
 		/* Correct index */
 		while (unc + s_max_off[index] < up)
 			index += 1;