Skip to content
Permalink
Browse files Browse the repository at this point in the history
Check sector and cluster size before use.
Otherwise malformed FS can cause heap corruption.
  • Loading branch information
relan committed Sep 9, 2015
1 parent b36d87d commit 2e86ae5
Showing 1 changed file with 17 additions and 10 deletions.
27 changes: 17 additions & 10 deletions libexfat/mount.c
Expand Up @@ -206,6 +206,23 @@ int exfat_mount(struct exfat* ef, const char* spec, const char* options)
exfat_error("exFAT file system is not found");
return -EIO;
}
/* sector cannot be smaller than 512 bytes */
if (ef->sb->sector_bits < 9)
{
exfat_close(ef->dev);
exfat_error("too small sector size: 2^%hhd", ef->sb->sector_bits);
free(ef->sb);
return -EIO;
}
/* officially exFAT supports cluster size up to 32 MB */
if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
{
exfat_close(ef->dev);
exfat_error("too big cluster size: 2^(%hhd+%hhd)",
ef->sb->sector_bits, ef->sb->spc_bits);
free(ef->sb);
return -EIO;
}
ef->zero_cluster = malloc(CLUSTER_SIZE(*ef->sb));
if (ef->zero_cluster == NULL)
{
Expand Down Expand Up @@ -240,16 +257,6 @@ int exfat_mount(struct exfat* ef, const char* spec, const char* options)
free(ef->sb);
return -EIO;
}
/* officially exFAT supports cluster size up to 32 MB */
if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
{
free(ef->zero_cluster);
exfat_close(ef->dev);
exfat_error("too big cluster size: 2^%d",
(int) ef->sb->sector_bits + (int) ef->sb->spc_bits);
free(ef->sb);
return -EIO;
}
if (le64_to_cpu(ef->sb->sector_count) * SECTOR_SIZE(*ef->sb) >
exfat_get_size(ef->dev))
{
Expand Down

0 comments on commit 2e86ae5

Please sign in to comment.