[PATCH] erofs-utils: lib: fix crafted Z_EROFS_COMPRESSION_INTERLACED extents

Gao Xiang hsiangkao at linux.alibaba.com
Wed Jun 25 18:57:59 AEST 2025


`fuzz_erofsfsck` reports a heap-buffer-overflow issue.

Reproducible image (base64-encoded gzipped blob):
H4sICEI5WmgCA2Vyb2ZzZnNja19saWJmdXp6ZXJfdVhJS1BnAGNkAIKu////M8ABIwMDO8NA
AA6iVSqQYCoTkepWMQwDwIPGFxhUrvv/nx+fNDUdizMFs1DdV9vpHc5MVDHlN5h89PDrg/1G
87YxgxOPigcs3KSXrUsH0ReXSWLoNMASlo8eQMzhgJgDDP8usDNVEEouLuMElS1AwHeRESq2
iZn9N4NNtzOXVqL1bNf7CTO2RkIM/c8KpvqJBFiSGrBI+0FRIUPNhP+F4SGIdiBeC0aK+kFE
8WlMIqBnGDQMZIVBTuEEzhoG8KwBKlJGkzDNk7ABPmBpZGBqYmpoYgZMu+amxgbmBhbU8R1f
JDw+2YAYFJ3g2Jxxze3Cxog9oNZRCitS7cJEXJ2Dz8P7KWlvAAAOXVIStwkAAA==

Add a `rq->decodedlength > rq->inputsize` check to match the kernel
implementation for now.

Closes: https://github.com/erofs/erofs-utils/issues/20
Signed-off-by: Gao Xiang <hsiangkao at linux.alibaba.com>
---
 lib/decompress.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/decompress.c b/lib/decompress.c
index 1e9fad7..3e7a173 100644
--- a/lib/decompress.c
+++ b/lib/decompress.c
@@ -514,14 +514,13 @@ int z_erofs_decompress(struct z_erofs_decompress_req *rq)
 	if (rq->alg == Z_EROFS_COMPRESSION_INTERLACED) {
 		unsigned int count, rightpart, skip;
 
-		/* XXX: should support inputsize >= erofs_blksiz(sbi) later */
-		if (rq->inputsize > erofs_blksiz(sbi))
-			return -EFSCORRUPTED;
-
-		if (rq->decodedlength > erofs_blksiz(sbi))
+		if (rq->decodedlength > rq->inputsize)
+			return -EOPNOTSUPP;
+		if (rq->decodedlength < rq->decodedskip)
 			return -EFSCORRUPTED;
 
-		if (rq->decodedlength < rq->decodedskip)
+		/* XXX: should support inputsize >= erofs_blksiz(sbi) later */
+		if (rq->inputsize > erofs_blksiz(sbi))
 			return -EFSCORRUPTED;
 
 		count = rq->decodedlength - rq->decodedskip;
@@ -532,9 +531,10 @@ int z_erofs_decompress(struct z_erofs_decompress_req *rq)
 		return 0;
 	} else if (rq->alg == Z_EROFS_COMPRESSION_SHIFTED) {
 		if (rq->decodedlength > rq->inputsize)
+			return -EOPNOTSUPP;
+		if (rq->decodedlength < rq->decodedskip)
 			return -EFSCORRUPTED;
 
-		DBG_BUGON(rq->decodedlength < rq->decodedskip);
 		memcpy(rq->out, rq->in + rq->decodedskip,
 		       rq->decodedlength - rq->decodedskip);
 		return 0;
-- 
2.43.5



More information about the Linux-erofs mailing list