--- a/fs/udf/super.c	2022-05-24 12:25:10.841972300 +0800
+++ b/fs/udf/super.c	2022-05-24 12:27:10.033663000 +0800
@@ -109,10 +109,16 @@ struct logicalVolIntegrityDescImpUse *ud
 		return NULL;
 	lvid = (struct logicalVolIntegrityDesc *)UDF_SB(sb)->s_lvid_bh->b_data;
 	partnum = le32_to_cpu(lvid->numOfPartitions);
+	if ((sb->s_blocksize - sizeof(struct logicalVolIntegrityDescImpUse) -
+	     offsetof(struct logicalVolIntegrityDesc, impUse)) /
+	     (2 * sizeof(uint32_t)) < partnum) {
+		udf_err(sb, "Logical volume integrity descriptor corrupted "
+			"(numOfPartitions = %u)!\n", partnum);
+		return NULL;
+	}
 	/* The offset is to skip freeSpaceTable and sizeTable arrays */
 	offset = partnum * 2 * sizeof(uint32_t);
-	return (struct logicalVolIntegrityDescImpUse *)
-					(((uint8_t *)(lvid + 1)) + offset);
+	return (struct logicalVolIntegrityDescImpUse *)&(lvid->impUse[offset]);
 }
 
 /* UDF filesystem type */