Merge pull request #499 from wcampbell0x2a/fix-more-fuzz-found-panics

Fix more fuzz found panics
wcampbell0x2a · Mar 24, 2024 · 89a78c3 · 89a78c3
2 parents a2a71f5 + c4b0a89
commit 89a78c3
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 8 deletions.
diff --git a/backhand-cli/src/bin/unsquashfs.rs b/backhand-cli/src/bin/unsquashfs.rs
@@ -208,7 +208,14 @@ fn main() -> ExitCode {
         return ExitCode::SUCCESS;
     }
 
-    let squashfs = Squashfs::from_reader_with_offset_and_kind(file, args.offset, kind).unwrap();
+    let squashfs = match Squashfs::from_reader_with_offset_and_kind(file, args.offset, kind) {
+        Ok(s) => s,
+        Err(_e) => {
+            let line = format!("{:>14}", red_bold.apply_to(format!("Could not read image: {_e}")));
+            pb.finish_with_message(line);
+            return ExitCode::FAILURE;
+        }
+    };
     let root_process = unsafe { geteuid() == 0 };
     if root_process {
         umask(Mode::from_bits(0).unwrap());

diff --git a/backhand/src/squashfs.rs b/backhand/src/squashfs.rs
@@ -464,10 +464,16 @@ impl<'b> Squashfs<'b> {
             return Ok(None);
         }
 
-        // ignore blocks before our block_index, grab all the rest of the bytes
-        // TODO: perf
-        let offset = self.dir_blocks.0.get(&block_index).unwrap();
-        let block = &self.dir_blocks.1[*offset as usize..];
+        let Some(offset) = self.dir_blocks.0.get(&block_index) else {
+            return Err(BackhandError::CorruptedOrInvalidSquashfs);
+        };
+        let Some(block) = &self.dir_blocks.1.get(*offset as usize..) else {
+            return Err(BackhandError::CorruptedOrInvalidSquashfs);
+        };
+
+        if (block.len() as u32) < (block_offset as u32 + file_size - 3) {
+            return Err(BackhandError::CorruptedOrInvalidSquashfs);
+        }
 
         let bytes = &block[block_offset..][..file_size as usize - 3];
         let mut dirs = vec![];
@@ -512,9 +518,13 @@ impl<'b> Squashfs<'b> {
             for d in &dirs {
                 trace!("extracting entry: {:#?}", d.dir_entries);
                 for entry in &d.dir_entries {
-                    let inode_key =
-                        (d.inode_num as i32 + entry.inode_offset as i32).try_into().unwrap();
-                    let found_inode = &self.inodes[&inode_key];
+                    let Ok(inode_key) = (d.inode_num as i32 + entry.inode_offset as i32).try_into()
+                    else {
+                        return Err(BackhandError::CorruptedOrInvalidSquashfs);
+                    };
+                    let Some(found_inode) = &self.inodes.get(&inode_key) else {
+                        return Err(BackhandError::CorruptedOrInvalidSquashfs);
+                    };
                     let header = found_inode.header;
                     fullpath.push(entry.name()?);