[PATCH] erofs: fix unsigned underflow in z_erofs_lz4_handle_overlap()

[Gao Xiang]

On 2026/4/9 14:57, Junrui Luo wrote:
> In z_erofs_lz4_handle_overlap(), the index expression
> "rq->outpages - rq->inpages + i" is computed in unsigned arithmetic.
> If outpages < inpages, the subtraction wraps to a large value and
> the subsequent rq->out[] access reads past the decompressed_pages
> array.
> 
> z_erofs_map_sanity_check() does not enforce m_plen <= m_llen, so a
> crafted image declaring m_plen > m_llen can produce outpages < inpages.

For this kind of stuff, do you have a reproducer?

`m_plen > m_llen` can happen on partial decoding only.

> 
> The in-place branch is currently unreachable: it requires both
> partial_decoding == false and omargin > 0, but these are mutually
> exclusive. partial_decoding == false requires pcl->length == m_llen,
> which in turn requires (offset + end == m_la + m_llen) where
> offset + end is page-aligned from folio boundaries. This forces

I'm not sure what you're saying, but I don't think
you really understand the entire logic.

> m_la + m_llen to be page-aligned, making oend page-aligned and
> omargin zero.

`m_la + m_llen` should not be page-aligned for typical
erofs images, you can just mkfs.erofs -zlz4hc with some
file and check it yourself.

BTW, I just check upstream, and the inplace branch
works prefectly.

Thanks,
Gao Xiang