Add d/patches/detect-infinite-loop. Fix for https://github.com/relan/exfat/issues...

diff --git a/debian/changelog b/debian/changelog
index 300f2e9f54ba8eb80928f8b4084a5f759baf1e5d..624cae13ded008ac04b4d9a0a06cbca8e177a33a 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -5,6 +5,9 @@ exfat-utils (1.1.0-3) UNRELEASED; urgency=medium
   * Add d/patches/check-sector-and-cluster-size. Fix for
     https://github.com/relan/exfat/issues/5 found and reported by
     The Fuzzing Project.
+  * Add d/patches/detect-infinite-loop. Fix for
+    https://github.com/relan/exfat/issues/6 found and reported by
+    The Fuzzing Project.
 
  -- Sven Hoexter <hoexter@debian.org>  Thu, 29 Oct 2015 09:03:18 +0100
 

diff --git a/debian/patches/detect-infinite-loop b/debian/patches/detect-infinite-loop
new file mode 100644 (file)
index 0000000..a50f38c
--- /dev/null
+++ b/debian/patches/detect-infinite-loop
@@ -0,0 +1,52 @@
+Patch for https://github.com/relan/exfat/issues/6
+See also:
+https://blog.fuzzing-project.org/25-Heap-overflow-and-endless-loop-in-exfatfsck-exfat-utils.html
+Index: exfat-utils/libexfat/mount.c
+===================================================================
+--- exfat-utils.orig/libexfat/mount.c
++++ exfat-utils/libexfat/mount.c
+@@ -30,23 +30,32 @@
+ 
+ static uint64_t rootdir_size(const struct exfat* ef)
+ {
+-      uint64_t clusters = 0;
++      uint32_t clusters = 0;
++      uint32_t clusters_max = le32_to_cpu(ef->sb->cluster_count);
+       cluster_t rootdir_cluster = le32_to_cpu(ef->sb->rootdir_cluster);
+ 
+-      while (!CLUSTER_INVALID(rootdir_cluster))
++      /* Iterate all clusters of the root directory to calculate its size.
++         It can't be contiguous because there is no flag to indicate this. */
++      do
+       {
+-              clusters++;
+-              /* root directory cannot be contiguous because there is no flag
+-                 to indicate this */
++              if (clusters == clusters_max) /* infinite loop detected */
++              {
++                      exfat_error("root directory cannot occupy all %d clusters",
++                                      clusters);
++                      return 0;
++              }
++              if (CLUSTER_INVALID(rootdir_cluster))
++              {
++                      exfat_error("bad cluster %#x while reading root directory",
++                                      rootdir_cluster);
++                      return 0;
++              }
+               rootdir_cluster = exfat_next_cluster(ef, ef->root, rootdir_cluster);
++              clusters++;
+       }
+-      if (rootdir_cluster != EXFAT_CLUSTER_END)
+-      {
+-              exfat_error("bad cluster %#x while reading root directory",
+-                              rootdir_cluster);
+-              return 0;
+-      }
+-      return clusters * CLUSTER_SIZE(*ef->sb);
++      while (rootdir_cluster != EXFAT_CLUSTER_END);
++
++      return (uint64_t) clusters * CLUSTER_SIZE(*ef->sb);
+ }
+ 
+ static const char* get_option(const char* options, const char* option_name)

diff --git a/debian/patches/series b/debian/patches/series
index 64264cfba799f36c78f260a6a56b3c4346f10bbc..d86ff4ac6c10f1aa30b60f176a830ad926c22f3c 100644 (file)
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 check-sector-and-cluster-size
+detect-infinite-loop