diff options
author | Ethan <ethan.too@gmail.com> | 2010-07-21 21:57:05 +0800 |
---|---|---|
committer | Ethan <ethan.too@gmail.com> | 2010-07-21 21:57:05 +0800 |
commit | 59ae828834dc177c74775cf36cafda4da9927bd9 (patch) | |
tree | 6f399eaeb950ea0ce179115e9a6edf76d2a96ce3 | |
parent | a6eb0d1794880492a5779fd8e871eb9ceb3e8737 (diff) | |
download | fsck_msdos-59ae828834dc177c74775cf36cafda4da9927bd9.tar.gz |
Fix an out of boundary access in fat.candroid-sdk-tools_r7android-adt-0.9.9android-adt-0.9.8tools_r9tools_r8tools_r7froyo-plus-aosp
From SD Specifications Part2 - File System
For Next Free Cluster, value FFFFFFFFh indicates that there exists
no information about the first available (free) cluster. It is a
valid value. However fat.c doesn't check the value before use it
as array index. This will cause fsck_msdos coredump with some
micro sd cards
Change-Id: Ibdec1655399d95c3ca98a4f4aaed1fd9bf459f33
Signed-off-by: Ethan <ethan.too@gmail.com>
-rw-r--r-- | fat.c | 22 |
1 files changed, 12 insertions, 10 deletions
@@ -692,16 +692,18 @@ checklost(int dosfs, struct bootblock *boot, struct fatEntry *fat) ret = 1; } } - if (boot->NumFree && fat[boot->FSNext].next != CLUST_FREE) { - pwarn("Next free cluster in FSInfo block (%u) not free\n", - boot->FSNext); - if (ask(1, "Fix")) - for (head = CLUST_FIRST; head < boot->NumClusters; head++) - if (fat[head].next == CLUST_FREE) { - boot->FSNext = head; - ret = 1; - break; - } + if (boot->NumFree) { + if ((boot->FSNext >= boot->NumClusters) || (fat[boot->FSNext].next != CLUST_FREE)) { + pwarn("Next free cluster in FSInfo block (%u) not free\n", + boot->FSNext); + if (ask(1, "Fix")) + for (head = CLUST_FIRST; head < boot->NumClusters; head++) + if (fat[head].next == CLUST_FREE) { + boot->FSNext = head; + ret = 1; + break; + } + } } if (ret) mod |= writefsinfo(dosfs, boot); |