From 21ee0e79e90c3cf63613bc1a00a609cfaf1777b2 Mon Sep 17 00:00:00 2001
From: Justus Winter <justus@gnupg.org>
Date: Sun, 17 Apr 2016 16:36:32 +0200
Subject: isofs: make superblock detection more robust

* isofs/isofs.h (disk_image_len): New variable.
* isofs/main.c (read_sblock): Avoid out of bounds access.
* isofs/pager.c (disk_image_len): New variable.
(create_disk_pager): Initialize 'disk_image_len'.
---
 isofs/isofs.h | 1 +
 isofs/main.c  | 9 ++-------
 isofs/pager.c | 2 ++
 3 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/isofs/isofs.h b/isofs/isofs.h
index 3f6690be..2ba013c2 100644
--- a/isofs/isofs.h
+++ b/isofs/isofs.h
@@ -75,6 +75,7 @@ char *mounted_on;
 
 /* Mapped image of disk */
 void *disk_image;
+size_t disk_image_len;
 
 /* Processed sblock info */
 
diff --git a/isofs/main.c b/isofs/main.c
index 95c90fe8..c07cf3ff 100644
--- a/isofs/main.c
+++ b/isofs/main.c
@@ -72,17 +72,13 @@ static void
 read_sblock ()
 {
   struct voldesc *vd;
-  error_t err;
   struct sblock * volatile sb = 0;
 
-  err = diskfs_catch_exception ();
-  if (err)
-    error (4, err, "reading superblock");
-
   /* Start at logical sector 16 and keep going until
      we find a matching superblock */
   for (vd = disk_image + (logical_sector_size * 16);
-       (void *) vd < disk_image + (logical_sector_size * 500); /* for sanity */
+       (void *) vd < disk_image + (logical_sector_size * 500) /* for sanity */
+         && (void *) vd + logical_sector_size < disk_image + disk_image_len;
        vd = (void *) vd + logical_sector_size)
     {
       if (vd->type == VOLDESC_END)
@@ -105,7 +101,6 @@ read_sblock ()
   if (!sblock)
     error (1, errno, "Could not allocate memory for superblock");
   memcpy (sblock, sb, sizeof (struct sblock));
-  diskfs_end_catch_exception ();
 
   /* Parse some important bits of this */
   logical_block_size = isonum_723 (sblock->blksize);
diff --git a/isofs/pager.c b/isofs/pager.c
index 35de37e4..b4be4e2d 100644
--- a/isofs/pager.c
+++ b/isofs/pager.c
@@ -28,6 +28,7 @@ struct port_bucket *pager_bucket;
 
 /* Mapped image of the disk */
 void *disk_image;
+size_t disk_image_len;
 
 
 /* Implement the pager_read_page callback from the pager library.  See
@@ -148,6 +149,7 @@ create_disk_pager (void)
   upi->np = 0;
   pager_bucket = ports_create_bucket ();
   diskfs_start_disk_pager (upi, pager_bucket, 1, 0, store->size, &disk_image);
+  disk_image_len = store->size;
   upi->p = diskfs_disk_pager;
 }
 
-- 
cgit v1.2.3