Syzkaller reports a "general protection fault in squashfs_copy_data"

This and other cases have already been covered here:
https://lore.kernel.org/all/20260217050955.138351-1-phillip@squashfs.org.uk/T/

However, in this case the culprit for the offset becoming negative
is that we interpret a large le32 as a signed int, which
comes out to be a negative value:

length = le32_to_cpu(index->index);

This happens in the call to get_dir_index_using_name
inside squashfs_lookup.

Later in the same function the arithmetic comes
out negative, as length is negative:

*next_offset = (length + *next_offset) % SQUASHFS_METADATA_SIZE;

Fix this by declaring length as an unsigned int.

Reported-by: syzbot+a9747fe1c35a5b115d3f@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/699234e2.a70a0220.2c38d7.00e2.GAE@google.com/
Signed-off-by: Nikola Z. Ivanov <zlatistiv@gmail.com>
---
 fs/squashfs/namei.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/squashfs/namei.c b/fs/squashfs/namei.c
index 65aae7e2a859..7f1f6d63d89d 100644
--- a/fs/squashfs/namei.c
+++ b/fs/squashfs/namei.c
@@ -65,8 +65,8 @@ static int get_dir_index_using_name(struct super_block *sb,
 			int index_offset, int i_count, const char *name)
 {
 	struct squashfs_sb_info *msblk = sb->s_fs_info;
-	int i, length = 0, err;
-	unsigned int size;
+	int i, err;
+	unsigned int size, length = 0;
 	struct squashfs_dir_index *index;
 
 	TRACE("Entered get_dir_index_using_name, i_count %d\n", i_count);
-- 
2.52.0