From 12069653227cc541aa138ed6673a81662ad67bfe Mon Sep 17 00:00:00 2001
From: Tomohiro Kusumi <tkusumi@netbsd.org>
Date: Thu, 3 Feb 2022 00:59:42 +0900
Subject: [PATCH] sys/vfs/msdosfs: Sanity check sector count from BPB

taken-from FreeBSD ba2c98389b78b548aedac0be53121df909c3fe2f
---
 sys/vfs/msdosfs/msdosfs_vfsops.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/sys/vfs/msdosfs/msdosfs_vfsops.c b/sys/vfs/msdosfs/msdosfs_vfsops.c
index 5237479063..e8dc2fe74e 100644
--- a/sys/vfs/msdosfs/msdosfs_vfsops.c
+++ b/sys/vfs/msdosfs/msdosfs_vfsops.c
@@ -430,6 +430,13 @@ mountmsdosfs(struct vnode *devvp, struct mount *mp, struct msdosfs_args *argp)
 	}
 
 	pmp->pm_HugeSectors *= pmp->pm_BlkPerSec;
+	if ((off_t)pmp->pm_HugeSectors * pmp->pm_BytesPerSec <
+	    pmp->pm_HugeSectors /* overflow */) {
+		/* XXX FreeBSD also checks media size in above */
+		error = EINVAL;
+		goto error_exit;
+	}
+
 	pmp->pm_HiddenSects *= pmp->pm_BlkPerSec;	/* XXX not used? */
 	pmp->pm_FATsecs     *= pmp->pm_BlkPerSec;
 	SecPerClust         *= pmp->pm_BlkPerSec;
@@ -449,6 +456,10 @@ mountmsdosfs(struct vnode *devvp, struct mount *mp, struct msdosfs_args *argp)
 		pmp->pm_firstcluster = pmp->pm_rootdirblk + pmp->pm_rootdirsize;
 	}
 
+	if (pmp->pm_HugeSectors <= pmp->pm_firstcluster) {
+		error = EINVAL;
+		goto error_exit;
+	}
 	pmp->pm_maxcluster = (pmp->pm_HugeSectors - pmp->pm_firstcluster) /
 	    SecPerClust + 1;
 
-- 
2.41.0