journald: detect invalid header pointers correctly

1 files changed, 13 insertions, 4 deletions

diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c
index 06de2acc50..c8193baa3b 100644
--- a/src/journal/journal-file.c
+++ b/src/journal/journal-file.c
@@ -221,10 +221,16 @@ static int journal_file_verify_header(JournalFile *f) {
         if (le64toh(f->header->tail_object_offset) > (le64toh(f->header->header_size) + le64toh(f->header->arena_size)))
                 return -ENODATA;
 
-        if (!VALID64(f->header->data_hash_table_offset) ||
-            !VALID64(f->header->field_hash_table_offset) ||
-            !VALID64(f->header->tail_object_offset) ||
-            !VALID64(f->header->entry_array_offset))
+        if (!VALID64(le64toh(f->header->data_hash_table_offset)) ||
+            !VALID64(le64toh(f->header->field_hash_table_offset)) ||
+            !VALID64(le64toh(f->header->tail_object_offset)) ||
+            !VALID64(le64toh(f->header->entry_array_offset)))
+                return -ENODATA;
+
+        if (le64toh(f->header->data_hash_table_offset) < le64toh(f->header->header_size) ||
+            le64toh(f->header->field_hash_table_offset) < le64toh(f->header->header_size) ||
+            le64toh(f->header->tail_object_offset) < le64toh(f->header->header_size) ||
+            le64toh(f->header->entry_array_offset) < le64toh(f->header->header_size))
                 return -ENODATA;
 
         if (f->writable) {
@@ -323,6 +329,9 @@ static int journal_file_move_to(JournalFile *f, int context, bool keep_always, u
         assert(f);
         assert(ret);
 
+        if (size <= 0)
+                return -EINVAL;
+
         /* Avoid SIGBUS on invalid accesses */
         if (offset + size > (uint64_t) f->last_stat.st_size) {
                 /* Hmm, out of range? Let's refresh the fstat() data