sqfs_frag_lookup() reads a 16-bit metadata block header whose lower 15 bits encode the data size. Unlike sqfs_read_metablock() in sqfs_inode.c, this function does not validate that the decoded size is within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can set the size field to any value up to 32767, causing memcpy to write past the 8192-byte 'entries' heap buffer.
Add the same bounds check used by sqfs_read_metablock(): reject any metadata block header with SQFS_METADATA_SIZE(header) exceeding SQFS_METADATA_BLOCK_SIZE. Found by fuzzing with libFuzzer + AddressSanitizer. Signed-off-by: Eric Kilmer <[email protected]> --- fs/squashfs/sqfs.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index f668c26472e..9cb8b4afcdd 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -178,6 +178,11 @@ static int sqfs_frag_lookup(u32 inode_fragment_index, goto out; } + if (SQFS_METADATA_SIZE(header) > SQFS_METADATA_BLOCK_SIZE) { + ret = -EINVAL; + goto out; + } + entries = malloc(SQFS_METADATA_BLOCK_SIZE); if (!entries) { ret = -ENOMEM; -- 2.53.0
