ext2fs: fix integer overflow in rb_get_bmap_range

bmap_rb_extent is defined as __u64:blk __u64:count.  So count can
exceed INT_MAX on populated filesystems.

TESTCASE: xfstest ext4/004

Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/blkmap64_rb.c b/lib/ext2fs/blkmap64_rb.c
index 8d1778d..7964fdb 100644 (file)
--- a/lib/ext2fs/blkmap64_rb.c
+++ b/lib/ext2fs/blkmap64_rb.c
@@ -733,8 +733,7 @@ static errcode_t rb_get_bmap_range(ext2fs_generic_bitmap bitmap,
        struct rb_node *parent = NULL, *next, **n;
        struct ext2fs_rb_private *bp;
        struct bmap_rb_extent *ext;
-       int count;
-       __u64 pos;
+       __u64 count, pos;
 
        bp = (struct ext2fs_rb_private *) bitmap->private;
        n = &bp->root.rb_node;
@@ -765,9 +764,9 @@ static errcode_t rb_get_bmap_range(ext2fs_generic_bitmap bitmap,
                if (pos >= start + num)
                        break;
                if (pos < start) {
-                       count -= start - pos;
-                       if (count < 0)
+                       if (pos + count <  start)
                                continue;
+                       count -= start - pos;
                        pos = start;
                }
                if (pos + count > start + num)