Created attachment 249865 [details]
file system image that causes fstyp's fstyp_ntfs() to crash

This code in fstyp's ntfs.c fstyp_ntfs():

        filerecp = read_buf(fp, voloff, recsize);
        ...;
        for (ap = filerecp + fr->fr_attroff;
            atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1;
            ap += atr->reclen) {

can cause ap and atr to have crazy values if the filesystem being
inspected provides something bad for atr->reclen.

If atr->reclen == 0, it's an infinite loop.

Separately, in hammer2.c read_label(), "vols[i] = read_buf(...)" can
be NULL, but the next line dereferences vols[i] without checking.

I've attached a demo for the first bug:

# uname -a
FreeBSD stock14 15.0-CURRENT FreeBSD 15.0-CURRENT #21 main-n269145-3e1c8a35f741-dirty: Sat Apr  6 15:52:00 AST 2024     root@stock14:/usr/obj/usr/src/amd64.amd64/sys/GENERIC amd64
# gunzip fstyp6b.img.gz 
# fstyp -u -l fstyp6b.img 
Segmentation fault


Program received signal SIGSEGV, Segmentation fault.
Address not mapped to object.
fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257)
    at /usr/src/usr.sbin/fstyp/ntfs.c:169
169                 atr = (struct ntfs_attr *)ap, (int)atr->a_type != -1;
(gdb) where
#0  fstyp_ntfs (fp=0x80131f330, label=0x7fffffffe7f0 "", size=257)
    at /usr/src/usr.sbin/fstyp/ntfs.c:169
#1  0x0000000001024a6c in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/usr.sbin/fstyp/fstyp.c:240