From: Jeff Mahoney <jeffm@suse.com>
Subject: LU-10205 libext2fs: fix buffer overrun in ext2fs_expand_extra_isize

In ext2fs_expand_extra_isize, we size buffer using 'size' but then
do the memcpy with the rounded-up size, which can overflow the buffer.

With MALLOC_CHECK_=2, I see:
Error in `../e2fsck/e2fsck': free(): invalid pointer: <addr>

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
---
 lib/ext2fs/ext_attr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ext2fs/ext_attr.c b/lib/ext2fs/ext_attr.c
index a9d0b62f..3fb8d844 100644
--- a/lib/ext2fs/ext_attr.c
+++ b/lib/ext2fs/ext_attr.c
@@ -1032,7 +1032,7 @@ retry:
 		size = entry->e_value_size;
 		entry_size = EXT2_EXT_ATTR_LEN(entry->e_name_len);
 		i.name_index = entry->e_name_index;
-		error = ext2fs_get_mem(size, &buffer);
+		error = ext2fs_get_mem(EXT2_EXT_ATTR_SIZE(size), &buffer);
 		if (error)
 			goto cleanup;
 		error = ext2fs_get_mem(entry->e_name_len + 1, &b_entry_name);