1 files changed, 9 insertions, 1 deletions

diff --git a/fs/udf/super.c b/fs/udf/super.c
index 0bb6a6ded08..ee31a2ad087 100644
--- a/fs/udf/super.c
+++ b/fs/udf/super.c
@@ -1254,6 +1254,7 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
         struct genericPartitionMap *gpm;
         uint16_t ident;
         struct buffer_head *bh;
+        unsigned int table_len;
         int ret = 0;
 
         bh = udf_read_tagged(sb, block, block, &ident);
@@ -1261,13 +1262,20 @@ static int udf_load_logicalvol(struct super_block *sb, sector_t block,
                 return 1;
         BUG_ON(ident != TAG_IDENT_LVD);
         lvd = (struct logicalVolDesc *)bh->b_data;
+        table_len = le32_to_cpu(lvd->mapTableLength);
+        if (sizeof(*lvd) + table_len > sb->s_blocksize) {
+                udf_error(sb, __func__, "error loading logical volume descriptor: "
+                        "Partition table too long (%u > %lu)\n", table_len,
+                        sb->s_blocksize - sizeof(*lvd));
+                goto out_bh;
+        }
 
         ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps));
         if (ret)
                 goto out_bh;
 
         for (i = 0, offset = 0;
-             i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);
+             i < sbi->s_partitions && offset < table_len;
              i++, offset += gpm->partitionMapLength) {
                 struct udf_part_map *map = &sbi->s_partmaps[i];
                 gpm = (struct genericPartitionMap *)