From 02b3060d08d91d12bc96e077b4d23418d66174cf Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers3@gmail.com>
Date: Wed, 4 Nov 2015 21:55:02 -0600
Subject: [PATCH] resource.c: fix bug in read_compressed_wim_resource()

The number of chunk entries to read could be incorrectly computed as 1
rather than 0.  This caused an on-stack array to be overflowed by 8
bytes.
---
 src/resource.c | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/src/resource.c b/src/resource.c
index 72d05193..efdbdd40 100644
--- a/src/resource.c
+++ b/src/resource.c
@@ -234,35 +234,34 @@ read_compressed_wim_resource(const struct wim_resource_descriptor * const rdesc,
 		 * to initialize the chunk_offsets array.  */
 
 		u64 first_chunk_entry_to_read;
-		u64 last_chunk_entry_to_read;
+		u64 num_chunk_entries_to_read;
 
 		if (alt_chunk_table) {
 			/* The alternate chunk table contains chunk sizes, not
 			 * offsets, so we always must read all preceding entries
 			 * in order to determine offsets.  */
 			first_chunk_entry_to_read = 0;
-			last_chunk_entry_to_read = last_needed_chunk;
+			num_chunk_entries_to_read = last_needed_chunk + 1;
 		} else {
-			/* Here we must account for the fact that the first
-			 * chunk has no explicit chunk table entry.  */
 
-			if (read_start_chunk == 0)
+			num_chunk_entries_to_read = last_needed_chunk - read_start_chunk + 1;
+
+			/* The first chunk has no explicit chunk table entry.  */
+			if (read_start_chunk == 0) {
+				num_chunk_entries_to_read--;
 				first_chunk_entry_to_read = 0;
-			else
+			} else {
 				first_chunk_entry_to_read = read_start_chunk - 1;
+			}
 
-			if (last_needed_chunk == 0)
-				last_chunk_entry_to_read = 0;
-			else
-				last_chunk_entry_to_read = last_needed_chunk - 1;
-
+			/* Unless we're reading the final chunk of the resource,
+			 * we need the offset of the chunk following the last
+			 * needed chunk so that the compressed size of the last
+			 * needed chunk can be computed.  */
 			if (last_needed_chunk < num_chunks - 1)
-				last_chunk_entry_to_read++;
+				num_chunk_entries_to_read++;
 		}
 
-		const u64 num_chunk_entries_to_read =
-			last_chunk_entry_to_read - first_chunk_entry_to_read + 1;
-
 		const u64 chunk_offsets_alloc_size =
 			max(num_chunk_entries_to_read,
 			    num_needed_chunk_offsets) * sizeof(chunk_offsets[0]);
-- 
2.43.0