Created attachment 249865 [details] file system image that causes fstyp's fstyp_ntfs() to crash This code in fstyp's ntfs.c fstyp_ntfs(): filerecp = read_buf(fp, voloff, recsize); ...; for (ap = filerecp + fr->fr_attroff; atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1; ap += atr->reclen) { can cause ap and atr to have crazy values if the filesystem being inspected provides something bad for atr->reclen. If atr->reclen == 0, it's an infinite loop. Separately, in hammer2.c read_label(), "vols[i] = read_buf(...)" can be NULL, but the next line dereferences vols[i] without checking. I've attached a demo for the first bug: # uname -a FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #21 main-n269145-3e1c8a35f741-dirty: Sat Apr 6 15:52:00 AST 2024 root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64 # gunzip fstyp6b.img.gz # fstyp -u -l fstyp6b.img Segmentation fault Program received signal SIGSEGV, Segmentation fault. Address not mapped to object. fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257) at /usr/src/usr.sbin/fstyp/ntfs.c:169 169 atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1; (gdb) where #0 fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257) at /usr/src/usr.sbin/fstyp/ntfs.c:169 #1 0x0000000001024a6c in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/usr.sbin/fstyp/fstyp.c:240