Package: libaal-dev Version: 1.0.5-5 Severity: critical Justification: causes serious data loss
In bitops.c, several functions get offsets and sizes with type bit_t, which is 64 bit, but local variables which hold the result of calculations on those bit_t variables are of type int, which of causes incorrect results for filesystems with block bitmaps that are larger than 2 GiB. I'm marking this critical as this causes fsck.reiserfs to work incorrectly on such filesystems, potentially breaking it beyond repair. I have attached a patch, but please have a good look at it to see if I did not miss anything. -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.39-2-amd64 (SMP w/6 CPU cores) Locale: LANG=nl_NL.UTF-8, LC_CTYPE=nl_NL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libaal-dev depends on: ii libc6-dev [libc-dev] 2.13-8 Embedded GNU C Library: Developmen libaal-dev recommends no packages. libaal-dev suggests no packages. -- no debconf information
--- libaal-1.0.5.orig/src/bitops.c +++ libaal-1.0.5/src/bitops.c @@ -80,7 +80,7 @@ bit_t size, bit_t offset) { - int bit = offset & 7, res; + bit_t bit = offset & 7, res; unsigned char *addr = map; unsigned char *p = addr + (offset >> 3); @@ -100,7 +100,7 @@ /* Finds zero bit in @byte starting from @offset */ static inline int aal_find_nzb(unsigned char byte, bit_t offset) { - int i = offset; + bit_t i = offset; unsigned char mask = 1 << offset; while ((byte & mask) != 0) { @@ -119,9 +119,9 @@ bit_t offset) { unsigned char *addr = map; - unsigned int byte_nr = offset >> 3; - unsigned int bit_nr = offset & 0x7; - unsigned int max_byte_nr = (size - 1) >> 3; + bit_t byte_nr = offset >> 3; + bit_t bit_nr = offset & 0x7; + bit_t max_byte_nr = (size - 1) >> 3; if (bit_nr != 0) { unsigned int b = ~(unsigned int)addr[byte_nr]; @@ -152,8 +152,8 @@ bit_t start, bit_t count) { - int end_byte; - int start_byte; + bit_t end_byte; + bit_t start_byte; char *addr = map; bit_t left, right; @@ -185,8 +185,8 @@ bit_t start, bit_t count) { - int end_byte; - int start_byte; + bit_t end_byte; + bit_t start_byte; char *addr = map; bit_t left, right;