fs/squashfs: fix heap buffer overflow in sqfs_frag_lookup()

sqfs_frag_lookup() reads a 16-bit metadata block header whose lower
15 bits encode the data size. Unlike sqfs_read_metablock() in
sqfs_inode.c, this function does not validate that the decoded size is
within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can
set the size field to any value up to 32767, causing memcpy to write
past the 8192-byte 'entries' heap buffer.

Add the same bounds check used by sqfs_read_metablock(): reject any
metadata block header with SQFS_METADATA_SIZE(header) exceeding
SQFS_METADATA_BLOCK_SIZE.

Found by fuzzing with libFuzzer + AddressSanitizer.

Signed-off-by: Eric Kilmer <[email protected]>
Reviewed-by: Miquel Raynal <[email protected]>

0 files changed, 0 insertions, 0 deletions