omfs: fix oops when file metadata is corrupted

A fuzzed fileystem image failed with OMFS when the extent count was
used in a loop without being checked against the max number of extents.
It also provoked a signed division for an array index that was checked
as if unsigned, leading to index by -1.

omfsck will be updated to fix these cases, in the meantime bail out
gracefully.

Reported-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 3 insertions, 2 deletions

diff --git a/fs/omfs/bitmap.c b/fs/omfs/bitmap.c
index 697663b01bae..e1c0ec0ae989 100644
--- a/fs/omfs/bitmap.c
+++ b/fs/omfs/bitmap.c
@@ -92,7 +92,7 @@ int omfs_allocate_block(struct super_block *sb, u64 block)
         struct buffer_head *bh;
         struct omfs_sb_info *sbi = OMFS_SB(sb);
         int bits_per_entry = 8 * sb->s_blocksize;
-        int map, bit;
+        unsigned int map, bit;
         int ret = 0;
         u64 tmp;
 
@@ -176,7 +176,8 @@ int omfs_clear_range(struct super_block *sb, u64 block, int count)
         struct omfs_sb_info *sbi = OMFS_SB(sb);
         int bits_per_entry = 8 * sb->s_blocksize;
         u64 tmp;
-        int map, bit, ret;
+        unsigned int map, bit;
+        int ret;
 
         tmp = block;
         bit = do_div(tmp, bits_per_entry);