Infinite loop found by fuzzing

[Dr-Emann]

Base64 of archive:

aHNxcwIAAADOhl5dABAAAAEAAAABAAwAywECAAQAAAAgAAAAAAAAAAIBAAAAAAAA+gAAAAAAAAD/
/////////2MAAAAAAAAApQAAAAAAAADOAAAAAAAAAOgAAAAAAAAAaGkKQIABALQBAAABANQMXl0C
AAAAAAAAAAAAAAARIAAAAwAAAAEA/QEAAAEA1AxeXQcAAAAAAAAAAgAAABgfAAADAAQAFYAAAAEA
AAAAAAEAAAAAAAAAAgAAAGELgGAAAAAAAAAAAwAAAQAAAAC8AAAAAAAAABCAAAAAAAABAAAgAAAA
AAAAANYgAAAAAAAACIDpHRMA6wMAAPAAAAAAAAAAAAA=

When run through rdsquashfs -d bad.squashfs, outputs this line over and over:

WARNING: Found a directory that contains itself, skipping loop back reference!

infinitely, as best as I can tell.

[AgentD]

Funny enough, it actually appears to be finite. I let it run for a few minutes and it produced a listing with two entries.

Debugging showed that the image produces thousands of directory entries with inode number 2 under the root inode (7), each containing even more entries with inode number 2, thus the large spew of warning messages.

In addition to self references, the image uses a clever trick with out-of-bounds metadata references which makes the metadata reader feed zero padding into the inode and directory readers. I haven't tested it on a 32 bit system yet, maybe some integer overflow come into play there too.

What I did for now in commit 029a8db2 was adding better bounds checking to the metedata reader, i.e. checking if a block is in a region where it makes sense for the block to be and when accessing it, testing against the bounds of the data actually read, instead of the maximum meta block size.

[Dr-Emann]

Huh. Interesting stuff! It's amazing how afl can make these cool kind of archives.