fs/iso9660: Require full entry length to fit in buffer in next_entry

2026-04-18 22:29:10 +02:00
parent 65a4eaed9d
commit 89ce18ca5c
1 changed files with 5 additions and 0 deletions
--- a/common/fs/iso9660.s2.c
+++ b/common/fs/iso9660.s2.c
@@ -284,6 +284,11 @@ static struct iso9660_directory_entry *iso9660_next_entry(void *current, void *b
    if (entry->length < sizeof(struct iso9660_directory_entry))
        return NULL;

+    // Validate that the entire entry (as declared by its length field) is
+    // within the buffer, so callers can safely read all entry->length bytes.
+    if ((size_t)entry->length > (size_t)((uint8_t *)buffer_end - (uint8_t *)entry))
+        return NULL;
+
    return entry;
 }