[PATCH] erofs-utils: lib: error out if fragment_off is crafted

Fri Mar 7 19:39:12 AEDT 2025

Found in some fuzzed images.

Fixes: f511cfbbc0da ("erofs-utils: introduce fragment cache")
Signed-off-by: Gao Xiang <hsiangkao at linux.alibaba.com>
---
 lib/fragments.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/fragments.c b/lib/fragments.c
index 2f5fbf9..a345acf 100644
--- a/lib/fragments.c
+++ b/lib/fragments.c
@@ -524,6 +524,10 @@ int erofs_packedfile_read(struct erofs_sb_info *sbi,
 			erofs_blk_t bnr = erofs_blknr(sbi, pos);
 			bool uptodate;
 
+			if (__erofs_unlikely(bnr > epi->uptodate_size)) {
+				erofs_err("packed inode EOF exceeded @ %llu", pos);
+				return -EFSCORRUPTED;
+			}
 			map.m_la = round_down(pos, bsz);
 			len = min_t(erofs_off_t, bsz - (pos & (bsz - 1)),
 				    end - pos);
-- 
2.43.5

