On 20/02/2026 at 14:48:08 -05, Eric Kilmer <[email protected]> wrote:
> sqfs_frag_lookup() reads a 16-bit metadata block header whose lower > 15 bits encode the data size. Unlike sqfs_read_metablock() in > sqfs_inode.c, this function does not validate that the decoded size is > within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can > set the size field to any value up to 32767, causing memcpy to write > past the 8192-byte 'entries' heap buffer. > > Add the same bounds check used by sqfs_read_metablock(): reject any > metadata block header with SQFS_METADATA_SIZE(header) exceeding > SQFS_METADATA_BLOCK_SIZE. > > Found by fuzzing with libFuzzer + AddressSanitizer. > > Signed-off-by: Eric Kilmer <[email protected]> Reviewed-by: Miquel Raynal <[email protected]> Thanks! Miquèl
