From 73f8eed9cb80f3e3f7ba711591b5e2596b43dc5f Mon Sep 17 00:00:00 2001 From: Phillip Lougher Date: Tue, 24 May 2011 04:45:33 +0100 Subject: [PATCH] --- yaml --- r: 252085 b: refs/heads/master c: 1094a4a6118019255bf0e4adaa96bb17ccec3a82 h: refs/heads/master i: 252083: 3816168bc164baaf342f5b5759296f6fa3f129cd v: v3 --- [refs] | 2 +- trunk/fs/squashfs/super.c | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/[refs] b/[refs] index 66f7aecd2f5d..fb7cf679ad7f 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 1cac63cc9b2ff0d16ab2d16232b1a6ee8676a47b +refs/heads/master: 1094a4a6118019255bf0e4adaa96bb17ccec3a82 diff --git a/trunk/fs/squashfs/super.c b/trunk/fs/squashfs/super.c index efa8118260d4..984d6c861928 100644 --- a/trunk/fs/squashfs/super.c +++ b/trunk/fs/squashfs/super.c @@ -268,7 +268,7 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) handle_fragments: fragments = le32_to_cpu(sblk->fragments); if (fragments == 0) - goto allocate_root; + goto check_directory_table; msblk->fragment_cache = squashfs_cache_init("fragment", SQUASHFS_CACHED_FRAGMENTS, msblk->block_size); @@ -286,8 +286,22 @@ static int squashfs_fill_super(struct super_block *sb, void *data, int silent) msblk->fragment_index = NULL; goto failed_mount; } + next_table = msblk->fragment_index[0]; -allocate_root: +check_directory_table: + /* Sanity check directory_table */ + if (msblk->directory_table >= next_table) { + err = -EINVAL; + goto failed_mount; + } + + /* Sanity check inode_table */ + if (msblk->inode_table >= msblk->directory_table) { + err = -EINVAL; + goto failed_mount; + } + + /* allocate root */ root = new_inode(sb); if (!root) { err = -ENOMEM;