File _service:tar_scm:backport-libblkid-probe-fix-si... of Package util-linux

File _service:tar_scm:backport-libblkid-probe-fix-size-and-offset-overflows-fuzzing.patch of Package util-linux

From 106de261469e1001243d5b81ed895762fb34b2ba Mon Sep 17 00:00:00 2001
From: Karel Zak <kzak@redhat.com>
Date: Thu, 2 Jun 2022 16:02:54 +0200
Subject: [PATCH] libblkid: (probe) fix size and offset overflows [fuzzing]

Reported-by: Thibault Guittet <tguittet@redhat.com>
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 libblkid/src/probe.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/libblkid/src/probe.c b/libblkid/src/probe.c
index 06c25572be..fc638c9bbe 100644
--- a/libblkid/src/probe.c
+++ b/libblkid/src/probe.c
@@ -621,6 +621,11 @@ static int hide_buffer(blkid_probe pr, uint64_t off, uint64_t len)
 	struct list_head *p;
 	int ct = 0;
 
+	if (UINT64_MAX - len < off) {
+		DBG(BUFFER, ul_debug("\t  hide-buffer overflow (ignore)"));
+		return -EINVAL;
+	}
+
 	list_for_each(p, &pr->buffers) {
 		struct blkid_bufinfo *x =
 			list_entry(p, struct blkid_bufinfo, bufs);
@@ -656,14 +661,20 @@ unsigned char *blkid_probe_get_buffer(blkid_probe pr, uint64_t off, uint64_t len
 	DBG(BUFFER, ul_debug("\t>>>> off=%ju, real-off=%ju (probe <%ju..%ju>, len=%ju",
 				off, real_off, pr->off, pr->off + pr->size, len));
 	*/
-
 	if (pr->size == 0) {
 		errno = EINVAL;
 		return NULL;
 	}
 
-	if (len == 0 || (!S_ISCHR(pr->mode) && pr->off + pr->size < real_off + len)) {
-		DBG(BUFFER, ul_debug("\t  ignore: request out of probing area"));
+	if (UINT64_MAX - len < off || UINT64_MAX - len < real_off) {
+		DBG(BUFFER, ul_debug("\t  read-buffer overflow (ignore)"));
+		return NULL;
+	}
+
+	if (len == 0
+	    || (!S_ISCHR(pr->mode) && (pr->size < off || pr->size < len))
+	    || (!S_ISCHR(pr->mode) && (pr->off + pr->size < real_off + len))) {
+		DBG(BUFFER, ul_debug("\t  read-buffer out of probing area (ignore)"));
 		errno = 0;
 		return NULL;
 	}