File ntfs-3g-CVE-2022-40284-0001-Rejected-zero-sized-runs.patch of Package ntfs-3g_ntfsprogs.26594

From 18bfc676119a1188e8135287b8327b0760ba44a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jean-Pierre=20Andr=C3=A9?= <jean-pierre.andre@wanadoo.fr>
Date: Wed, 14 Sep 2022 08:29:58 +0200
Subject: [PATCH 1/2] Rejected zero-sized runs

A zero-size run is the universal way to indentify the end of a runlist,
so we must reject zero-sized runs when decompressing a runlist. A
zero-size data run is an error, and a zero-size hole is simply ignored.
---
 libntfs-3g/runlist.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/libntfs-3g/runlist.c b/libntfs-3g/runlist.c
index c83c2b7d..720bdce6 100644
--- a/libntfs-3g/runlist.c
+++ b/libntfs-3g/runlist.c
@@ -5,7 +5,7 @@
  * Copyright (c) 2002-2005 Richard Russon
  * Copyright (c) 2002-2008 Szabolcs Szakacsits
  * Copyright (c) 2004 Yura Pakhuchiy
- * Copyright (c) 2007-2010 Jean-Pierre Andre
+ * Copyright (c) 2007-2022 Jean-Pierre Andre
  *
  * This program/include file is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as published
@@ -918,11 +918,18 @@ static runlist_element *ntfs_mapping_pairs_decompress_i(const ntfs_volume *vol,
 						"array.\n");
 				goto err_out;
 			}
+			/* chkdsk accepts zero-sized runs only for holes */
+			if ((lcn != (LCN)-1) && !rl[rlpos].length) {
+				ntfs_log_debug(
+					"Invalid zero-sized data run.\n");
+				goto err_out;
+			}
 			/* Enter the current lcn into the runlist element. */
 			rl[rlpos].lcn = lcn;
 		}
-		/* Get to the next runlist element. */
-		rlpos++;
+		/* Get to the next runlist element, skipping zero-sized holes */
+		if (rl[rlpos].length)
+			rlpos++;
 		/* Increment the buffer position to the next mapping pair. */
 		buf += (*buf & 0xf) + ((*buf >> 4) & 0xf) + 1;
 	}
-- 
2.24.3 (Apple Git-128)