Re: [PATCH] hfs: fix array out of bounds read of array extent

Ernesto A. Fernández <ernesto.mnd.fernandez@xxxxxxxxx> · Wed, 17 Oct 2018 14:49:54 -0300

On Fri, Aug 31, 2018 at 03:05:38PM +0100, Colin King wrote:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> 
> Currently extent and index i are both being incremented causing
> an array out of bounds read on extent[i]. Fix this by removing
> the extraneous increment of extent.
> 
> Detected by CoverityScan, CID#711541 ("Out of bounds read")
> 
> Fixes: d1081202f1d0 ("HFS rewrite")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>

I don't think this got picked up yet; let's see if I can help.

Reviewed-by: Ernesto A. Fernández <ernesto.mnd.fernandez@xxxxxxxxx>

> ---
>  fs/hfs/extent.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c
> index 5d0182654580..636cdfcecb26 100644
> --- a/fs/hfs/extent.c
> +++ b/fs/hfs/extent.c
> @@ -300,7 +300,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type)
>  		return 0;
>  
>  	blocks = 0;
> -	for (i = 0; i < 3; extent++, i++)
> +	for (i = 0; i < 3; i++)
>  		blocks += be16_to_cpu(extent[i].count);
>  
>  	res = hfs_free_extents(sb, extent, blocks, blocks);
> -- 
> 2.17.1
> 