+exfat-utils (0.9.7-2+deb7u1) UNRELEASED; urgency=medium
+
+ * Add d/patches/check-sector-and-cluster-size. Fix for
+ https://github.com/relan/exfat/issues/5 found and reported by
+ The Fuzzing Project.
+ * Add d/patches/detect-infinite-loop. Fix for
+ https://github.com/relan/exfat/issues/6 found and reported by
+ The Fuzzing Project.
+
+ -- Sven Hoexter <hoexter@debian.org> Thu, 29 Oct 2015 12:37:48 +0100
+
exfat-utils (0.9.7-2) unstable; urgency=low
* Move manual link creation from debian/rules to debian/links
--- /dev/null
+Patch for https://github.com/relan/exfat/issues/5
+See also:
+https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html
+Index: exfat-utils/libexfat/mount.c
+===================================================================
+--- exfat-utils.orig/libexfat/mount.c
++++ exfat-utils/libexfat/mount.c
+@@ -172,6 +172,24 @@ int exfat_mount(struct exfat* ef, const
+ exfat_error("exFAT file system is not found");
+ return -EIO;
+ }
++ /* sector cannot be smaller than 512 bytes */
++ if (ef->sb->sector_bits < 9)
++ {
++ exfat_close(ef->dev);
++ exfat_error("too small sector size: 2^%hhd", ef->sb->sector_bits);
++ free(ef->sb);
++ return -EIO;
++ }
++ /* officially exFAT supports cluster size up to 32 MB */
++ if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
++ {
++ exfat_close(ef->dev);
++ exfat_error("too big cluster size: 2^(%hhd+%hhd)",
++ ef->sb->sector_bits, ef->sb->spc_bits);
++ free(ef->sb);
++ return -EIO;
++ }
++
+ if (ef->sb->version.major != 1 || ef->sb->version.minor != 0)
+ {
+ exfat_close(ef->dev);
+@@ -187,16 +205,6 @@ int exfat_mount(struct exfat* ef, const
+ exfat_error("unsupported FAT count: %hhu", ef->sb->fat_count);
+ return -EIO;
+ }
+- /* officially exFAT supports cluster size up to 32 MB */
+- if ((int) ef->sb->sector_bits + (int) ef->sb->spc_bits > 25)
+- {
+- exfat_close(ef->dev);
+- free(ef->sb);
+- exfat_error("too big cluster size: 2^%d",
+- (int) ef->sb->sector_bits + (int) ef->sb->spc_bits);
+- return -EIO;
+- }
+-
+ ef->zero_cluster = malloc(CLUSTER_SIZE(*ef->sb));
+ if (ef->zero_cluster == NULL)
+ {
--- /dev/null
+Patch for https://github.com/relan/exfat/issues/6
+See also:
+https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html
+Index: exfat-utils/libexfat/mount.c
+===================================================================
+--- exfat-utils.orig/libexfat/mount.c
++++ exfat-utils/libexfat/mount.c
+@@ -27,17 +27,32 @@
+
+ static uint64_t rootdir_size(const struct exfat* ef)
+ {
+- uint64_t clusters = 0;
++ uint32_t clusters = 0;
++ uint32_t clusters_max = le32_to_cpu(ef->sb->cluster_count);
+ cluster_t rootdir_cluster = le32_to_cpu(ef->sb->rootdir_cluster);
+
+- while (!CLUSTER_INVALID(rootdir_cluster))
+- {
+- clusters++;
+- /* root directory cannot be contiguous because there is no flag
+- to indicate this */
+- rootdir_cluster = exfat_next_cluster(ef, ef->root, rootdir_cluster);
++ /* Iterate all clusters of the root directory to calculate its size.
++ It can't be contiguous because there is no flag to indicate this. */
++ do
++ {
++ if (clusters == clusters_max) /* infinite loop detected */
++ {
++ exfat_error("root directory cannot occupy all %d clusters",
++ clusters);
++ return 0;
++ }
++ if (CLUSTER_INVALID(rootdir_cluster))
++ {
++ exfat_error("bad cluster %#x while reading root directory",
++ rootdir_cluster);
++ return 0;
++ }
++ rootdir_cluster = exfat_next_cluster(ef, ef->root, rootdir_cluster);
++ clusters++;
+ }
+- return clusters * CLUSTER_SIZE(*ef->sb);
++ while (rootdir_cluster != EXFAT_CLUSTER_END);
++
++ return (uint64_t) clusters * CLUSTER_SIZE(*ef->sb);
+ }
+
+ static const char* get_option(const char* options, const char* option_name)
honor-cppflags
utf16-fix
+check-sector-and-cluster-size
+detect-infinite-loop
projects / sven / exfat-utils.git / commitdiff