A corrrup inode might lead to preposterous dir sizes. So check the

size to avoid a negative lastbn which might cause a segv or heap
corruption. With help from mickey@; ok mickey@ pedro@ millert@

1 files changed, 7 insertions, 3 deletions

diff --git a/sbin/fsck_ffs/dir.c b/sbin/fsck_ffs/dir.c
index 1d014c74eca..0b2cd296680 100644
--- a/sbin/fsck_ffs/dir.c
+++ b/sbin/fsck_ffs/dir.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: dir.c,v 1.18 2007/01/24 13:24:58 bluhm Exp $	*/
+/*	$OpenBSD: dir.c,v 1.19 2007/02/08 13:09:53 otto Exp $	*/
 /*	$NetBSD: dir.c,v 1.20 1996/09/27 22:45:11 christos Exp $	*/
 
 /*
@@ -34,7 +34,7 @@
 #if 0
 static char sccsid[] = "@(#)dir.c	8.5 (Berkeley) 12/8/94";
 #else
-static const char rcsid[] = "$OpenBSD: dir.c,v 1.18 2007/01/24 13:24:58 bluhm Exp $";
+static const char rcsid[] = "$OpenBSD: dir.c,v 1.19 2007/02/08 13:09:53 otto Exp $";
 #endif
 #endif /* not lint */
 
@@ -555,8 +555,12 @@ expanddir(struct ufs1_dinode *dp, char *name)
 	daddr_t lastbn, newblk;
 	struct bufarea *bp;
 	char *cp, firstblk[DIRBLKSIZ];
+	u_int64_t dis;
 
-	lastbn = lblkno(&sblock, dp->di_size);
+	dis = lblkno(&sblock, dp->di_size);
+	if (dis > (u_int64_t)INT_MAX)
+		return (0);
+	lastbn = dis;
 	if (lastbn >= NDADDR - 1 || dp->di_db[lastbn] == 0 || dp->di_size == 0)
 		return (0);
 	if ((newblk = allocblk(sblock.fs_frag)) == 0)