diff options
author | David Sterba <dsterba@suse.com> | 2016-10-03 14:52:30 +0200 |
---|---|---|
committer | David Sterba <dsterba@suse.com> | 2016-10-03 15:07:24 +0200 |
commit | 3956c16d0b1ba2e35b32530de80f68f29c8a8ae8 (patch) | |
tree | 6853810cc91f449f5e6b6f53d6bfbd2aec89b877 /btrfs-image.c | |
parent | 35d0588b641b227f6560f8c7240e0b2c43afae14 (diff) |
btrfs-progs: image: catch zero length extents, avoid endless loop
If an extent is found to have length 0, we'd loop endlessly in
copy_from_extent_tree. Reproduced by fuzzed image
bko-166361-blocksize-zero.raw within test 002-simple-image .
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'btrfs-image.c')
-rw-r--r-- | btrfs-image.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/btrfs-image.c b/btrfs-image.c index 6bb8d470..bbe4f638 100644 --- a/btrfs-image.c +++ b/btrfs-image.c @@ -1264,10 +1264,18 @@ static int copy_from_extent_tree(struct metadump_struct *metadump, } bytenr = key.objectid; - if (key.type == BTRFS_METADATA_ITEM_KEY) + if (key.type == BTRFS_METADATA_ITEM_KEY) { num_bytes = extent_root->nodesize; - else + } else { num_bytes = key.offset; + } + + if (num_bytes == 0) { + error("extent length 0 at bytenr %llu key type %d", + (unsigned long long)bytenr, key.type); + ret = -EIO; + break; + } if (btrfs_item_size_nr(leaf, path->slots[0]) > sizeof(*ei)) { ei = btrfs_item_ptr(leaf, path->slots[0], |