Fix an out of boundary access in fat.c

    From SD Specifications Part2 - File System
    For Next Free Cluster, value FFFFFFFFh indicates that there exists
    no information about the first available (free) cluster. It is a
    valid value. However fat.c doesn't check the value before use it
    as array index. This will cause fsck_msdos coredump with some
    micro sd cards

Change-Id: Ibdec1655399d95c3ca98a4f4aaed1fd9bf459f33
Signed-off-by: Ethan <ethan.too@gmail.com>

1 files changed, 12 insertions, 10 deletions

diff --git a/fat.c b/fat.c
index 8871407..d07be09 100644
--- a/fat.c
+++ b/fat.c
@@ -692,16 +692,18 @@ checklost(int dosfs, struct bootblock *boot, struct fatEntry *fat)
 				ret = 1;
 			}
 		}
-		if (boot->NumFree && fat[boot->FSNext].next != CLUST_FREE) {
-			pwarn("Next free cluster in FSInfo block (%u) not free\n",
-			      boot->FSNext);
-			if (ask(1, "Fix"))
-				for (head = CLUST_FIRST; head < boot->NumClusters; head++)
-					if (fat[head].next == CLUST_FREE) {
-						boot->FSNext = head;
-						ret = 1;
-						break;
-					}
+		if (boot->NumFree) {
+			if ((boot->FSNext >= boot->NumClusters) || (fat[boot->FSNext].next != CLUST_FREE)) {
+				pwarn("Next free cluster in FSInfo block (%u) not free\n",
+				      boot->FSNext);
+				if (ask(1, "Fix"))
+					for (head = CLUST_FIRST; head < boot->NumClusters; head++)
+						if (fat[head].next == CLUST_FREE) {
+							boot->FSNext = head;
+							ret = 1;
+							break;
+						}
+			}
 		}
 		if (ret)
 			mod |= writefsinfo(dosfs, boot);