From f7a20cf162a02a4ce5301eb6b27bbc53fd5998b5 Mon Sep 17 00:00:00 2001
From: Brian Carrier <carrier@sleuthkit.org>
Date: Wed, 29 Apr 2020 15:47:01 -0400
Subject: [PATCH] Fix bug introduced with imap offset check

---
 tsk/fs/ext2fs.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/tsk/fs/ext2fs.c b/tsk/fs/ext2fs.c
index 45dd18c27..1f56c9430 100755
--- a/tsk/fs/ext2fs.c
+++ b/tsk/fs/ext2fs.c
@@ -841,6 +841,20 @@ ext2fs_dinode_copy(EXT2FS_INFO * ext2fs, TSK_FS_META * fs_meta,
         grp_num * tsk_getu32(fs->endian,
         ext2fs->fs->s_inodes_per_group) + fs->first_inum;
 
+
+    /*
+     * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
+     */
+    if ((inum - ibase) > fs->block_size*8) {
+        tsk_release_lock(&ext2fs->lock);
+        tsk_error_reset();
+        tsk_error_set_errno(TSK_ERR_FS_WALK_RNG);
+        tsk_error_set_errstr("ext2fs_dinode_copy: Invalid offset into imap_buf (inum %" PRIuINUM " - ibase %" PRIuINUM ")",
+            inum, ibase);
+        return 1;
+    }
+
+
     /*
      * Apply the allocated/unallocated restriction.
      */
@@ -1052,9 +1066,9 @@ ext2fs_inode_walk(TSK_FS_INFO * fs, TSK_INUM_T start_inum,
             ext2fs->fs->s_inodes_per_group) + 1;
 
         /*
-         * Ensure that inum - ibase refers to a valid offset in imap_buf.
+         * Ensure that inum - ibase refers to a valid bit offset in imap_buf.
          */
-        if ((inum - ibase) > fs->block_size) {
+        if ((inum - ibase) > fs->block_size*8) {
             tsk_release_lock(&ext2fs->lock);
             free(dino_buf);
             tsk_error_reset();
-- 
GitLab