--- x/fs/udf/super.c
+++ y/fs/udf/super.c
@@ -114,6 +114,11 @@ struct logicalVolIntegrityDescImpUse *ud
 	partnum = le32_to_cpu(lvid->numOfPartitions);
 	/* The offset is to skip freeSpaceTable and sizeTable arrays */
 	offset = partnum * 2 * sizeof(uint32_t);
+	if (sb->s_blocksize < sizeof(*lvid))
+		return NULL;
+	if (sb->s_blocksize - sizeof(*lvid) <
+	    offset + sizeof(struct logicalVolIntegrityDescImpUse))
+		return NULL;
 	return (struct logicalVolIntegrityDescImpUse *)
 					(((uint8_t *)(lvid + 1)) + offset);
 }
@@ -2337,6 +2342,10 @@ static int udf_sync_fs(struct super_bloc
 		struct logicalVolIntegrityDesc *lvid;
 
 		lvid = (struct logicalVolIntegrityDesc *)bh->b_data;
+		if (le16_to_cpu(lvid->descTag.descCRCLength) + sizeof(struct tag) >
+										sb->s_blocksize)
+			lvid->descTag.descCRCLength = cpu_to_le16(sb->s_blocksize -
+								  sizeof(struct tag));
 		udf_finalize_lvid(lvid);
 
 		/*