commit 9419fc1c957d600093baaea247fef23cca3b4e93
author Bob Copeland <me@bobcopeland.com> Fri Aug 15 00:40:47 2008 -0700
committer Linus Torvalds <torvalds@linux-foundation.org> Fri Aug 15 08:35:44 2008 -0700
tree 532606ac97d86d8952ffcdd8f8513b1499c10bf8
parent c963343a1150106819773e828c9b237ed977615b

omfs: fix oops when file metadata is corrupted

A fuzzed fileystem image failed with OMFS when the extent count was
used in a loop without being checked against the max number of extents.
It also provoked a signed division for an array index that was checked
as if unsigned, leading to index by -1.

omfsck will be updated to fix these cases, in the meantime bail out
gracefully.

Reported-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

fs/omfs/bitmap.c

diff --git a/fs/omfs/bitmap.c b/fs/omfs/bitmap.c
index 697663b..e1c0ec0 100644
--- a/fs/omfs/bitmap.c
+++ b/fs/omfs/bitmap.c
@@ -92,7 +92,7 @@
 	struct buffer_head *bh;
 	struct omfs_sb_info *sbi = OMFS_SB(sb);
 	int bits_per_entry = 8 * sb->s_blocksize;
-	int map, bit;
+	unsigned int map, bit;
 	int ret = 0;
 	u64 tmp;
 
@@ -176,7 +176,8 @@
 	struct omfs_sb_info *sbi = OMFS_SB(sb);
 	int bits_per_entry = 8 * sb->s_blocksize;
 	u64 tmp;
-	int map, bit, ret;
+	unsigned int map, bit;
+	int ret;
 
 	tmp = block;
 	bit = do_div(tmp, bits_per_entry);