[PATCH] fsck.erofs: validate h_shared_count against xattr_isize

[Utkal Singh]

A crafted EROFS image can set h_shared_count to a large value in
the xattr ibody header. erofs_verify_xattr() reads this value
directly without checking if the implied shared entry area fits
within xattr_isize. This causes 'remaining' to underflow below
zero after the shared entry loop, corrupting the subsequent
while(remaining > 0) bounds check.

Validate that xattr_shared_count shared entries fit within the
available xattr body size before entering the loop.

Signed-off-by: Utkal Singh <singhutkal015 at gmail.com>
---
 fsck/main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fsck/main.c b/fsck/main.c
index cf07829..c911aa1 100644
--- a/fsck/main.c
+++ b/fsck/main.c
@@ -374,6 +374,12 @@ static int erofs_verify_xattr(struct erofs_inode *inode)
 	}
 	ih = (struct erofs_xattr_ibody_header *)ptr;
 	xattr_shared_count = ih->h_shared_count;
+	if (xattr_shared_count * xattr_entry_size > remaining - xattr_hdr_size) {
+		erofs_err("h_shared_count %u exceeds xattr_isize @ nid %llu",
+			  xattr_shared_count, inode->nid | 0ULL);
+		ret = -EFSCORRUPTED;
+		goto out;
+	}
 
 	ofs = erofs_blkoff(sbi, addr) + xattr_hdr_size;
 	addr += xattr_hdr_size;
-- 
2.43.0