libblkid: Fix out of bounds reads on bad GPT header

If a GUID Partition Table claims to have more than 2**25 entries, or if the
size of each entry is not exactly 128 bytes, libblkid can read out of bounds
and segfault. Perform the appropriate checks.

[kzak@redhat.com: - fix typo]

Signed-off-by: Alden Tondettar <alden.tondettar@gmail.com>
Signed-off-by: Karel Zak <kzak@redhat.com>

1 files changed, 7 insertions, 8 deletions

diff --git a/libblkid/src/partitions/gpt.c b/libblkid/src/partitions/gpt.c
index e6baa598b..d987236d3 100644
--- a/libblkid/src/partitions/gpt.c
+++ b/libblkid/src/partitions/gpt.c
@@ -210,7 +210,7 @@ static struct gpt_header *get_gpt_header(
 	struct gpt_header *h;
 	uint32_t crc;
 	uint64_t lu, fu;
-	size_t esz;
+	uint64_t esz;
 	uint32_t hsz, ssz;
 
 	ssz = blkid_probe_get_sectorsize(pr);
@@ -264,17 +264,16 @@ static struct gpt_header *get_gpt_header(
 		return NULL;
 	}
 
-	if (le32_to_cpu(h->num_partition_entries) == 0 ||
-	    le32_to_cpu(h->sizeof_partition_entry) == 0 ||
-	    ULONG_MAX / le32_to_cpu(h->num_partition_entries) < le32_to_cpu(h->sizeof_partition_entry)) {
+	/* Size of blocks with GPT entries */
+	esz = (uint64_t)le32_to_cpu(h->num_partition_entries) *
+		le32_to_cpu(h->sizeof_partition_entry);
+
+	if (esz == 0 || esz >= UINT32_MAX ||
+	    le32_to_cpu(h->sizeof_partition_entry) != sizeof(struct gpt_entry)) {
 		DBG(LOWPROBE, ul_debug("GPT entries undefined"));
 		return NULL;
 	}
 
-	/* Size of blocks with GPT entries */
-	esz = le32_to_cpu(h->num_partition_entries) *
-			le32_to_cpu(h->sizeof_partition_entry);
-
 	/* The header seems valid, save it
 	 * (we don't care about zeros in hdr->reserved2 area) */
 	memcpy(hdr, h, sizeof(*h));