udf_get_extendedattr() had no boundary checks.

		else

			offset = le32_to_cpu(eahd->appAttrLocation);

		while (offset < iinfo->i_lenEAttr) {

		while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) {

			uint32_t attrLength;

			gaf = (struct genericFormat *)&ea[offset];

			attrLength = le32_to_cpu(gaf->attrLength);

			/* Detect undersized elements and buffer overflows */

			if ((attrLength < sizeof(*gaf)) ||

			    (attrLength > (iinfo->i_lenEAttr - offset)))

				break;

			if (le32_to_cpu(gaf->attrType) == type &&

					gaf->attrSubtype == subtype)

				return gaf;

			else

				offset += le32_to_cpu(gaf->attrLength);

				offset += attrLength;

		}

	}