summaryrefslogtreecommitdiff
path: root/fs/squashfs
diff options
context:
space:
mode:
Diffstat (limited to 'fs/squashfs')
-rw-r--r--fs/squashfs/super.c18
1 files changed, 16 insertions, 2 deletions
diff --git a/fs/squashfs/super.c b/fs/squashfs/super.c
index efa8118260d..984d6c86192 100644
--- a/fs/squashfs/super.c
+++ b/fs/squashfs/super.c
@@ -268,7 +268,7 @@ allocate_id_index_table:
handle_fragments:
fragments = le32_to_cpu(sblk->fragments);
if (fragments == 0)
- goto allocate_root;
+ goto check_directory_table;
msblk->fragment_cache = squashfs_cache_init("fragment",
SQUASHFS_CACHED_FRAGMENTS, msblk->block_size);
@@ -286,8 +286,22 @@ handle_fragments:
msblk->fragment_index = NULL;
goto failed_mount;
}
+ next_table = msblk->fragment_index[0];
-allocate_root:
+check_directory_table:
+ /* Sanity check directory_table */
+ if (msblk->directory_table >= next_table) {
+ err = -EINVAL;
+ goto failed_mount;
+ }
+
+ /* Sanity check inode_table */
+ if (msblk->inode_table >= msblk->directory_table) {
+ err = -EINVAL;
+ goto failed_mount;
+ }
+
+ /* allocate root */
root = new_inode(sb);
if (!root) {
err = -ENOMEM;
generated by cgit v1.2.3-70-g09d2 (git 2.51.2) at 2025-11-04 07:09:07 +0000