Skip to content
Permalink
Browse files

Check sector and cluster size before use.

Otherwise malformed FS can cause heap corruption.
  • Loading branch information...
relan committed Sep 9, 2015
1 parent b36d87d commit 2e86ae5f81da11f11673d0546efb525af02b7786
Showing with 17 additions and 10 deletions.
  1. +17 −10 libexfat/mount.c
@@ -206,6 +206,23 @@ int exfat_mount(struct exfat* ef, const char* spec, const char* options)
exfat_error("exFAT file system is not found");
return -EIO;
}
/* sector cannot be smaller than 512 bytes */
if (ef->sb->sector_bits < 9)
{
exfat_close(ef->dev);
exfat_error("too small sector size: 2^%hhd", ef->sb->sector_bits);
free(ef->sb);
return -EIO;
}
/* officially exFAT supports cluster size up to 32 MB */
if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
{
exfat_close(ef->dev);
exfat_error("too big cluster size: 2^(%hhd+%hhd)",
ef->sb->sector_bits, ef->sb->spc_bits);
free(ef->sb);
return -EIO;
}
ef->zero_cluster = malloc(CLUSTER_SIZE(*ef->sb));
if (ef->zero_cluster == NULL)
{
@@ -240,16 +257,6 @@ int exfat_mount(struct exfat* ef, const char* spec, const char* options)
free(ef->sb);
return -EIO;
}
/* officially exFAT supports cluster size up to 32 MB */
if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
{
free(ef->zero_cluster);
exfat_close(ef->dev);
exfat_error("too big cluster size: 2^%d",
(int) ef->sb->sector_bits + (int) ef->sb->spc_bits);
free(ef->sb);
return -EIO;
}
if (le64_to_cpu(ef->sb->sector_count) * SECTOR_SIZE(*ef->sb) >
exfat_get_size(ef->dev))
{

0 comments on commit 2e86ae5

Please sign in to comment.
You can’t perform that action at this time.