mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-01 15:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
eaf463919d2ff26410cddd02479b3c7bbab292cb
poky/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch
Saul Wold 94aa8d8e13 squashfs-tools: remove FILESEXTRAPATH and move patches directory 
(From OE-Core rev: 60375dd8d0a849a7a23badb0f195a662c93a4922)

Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2013-11-20 14:03:26 +00:00

73 lines
2.1 KiB
Diff
Raw Blame History

Upstream-Status: Backport
Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=
squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123
Fix potential stack overflow in get_component() where an individual
pathname component in an extract file (specified on the command line
or in an extract file) could exceed the 1024 byte sized targname
allocated on the stack.
Fix by dynamically allocating targname rather than storing it as
a fixed size on the stack.
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
diff -urpN a/unsquashfs.c b/unsquashfs.c
--- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800
+++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800
@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir)
}
-char *get_component(char *target, char *targname)
+char *get_component(char *target, char **targname)
{
+ char *start;
+
while(*target == '/')
target ++;
+ start = target;
while(*target != '/' && *target!= '\0')
- *targname ++ = *target ++;
+ target ++;
- *targname = '\0';
+ *targname = strndup(start, target - start);
return target;
}
@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths)
struct pathname *add_path(struct pathname *paths, char *target, char *alltarget)
{
- char targname[1024];
+ char *targname;
int i, error;
TRACE("add_path: adding \"%s\" extract file\n", target);
- target = get_component(target, targname);
+ target = get_component(target, &targname);
if(paths == NULL) {
paths = malloc(sizeof(struct pathname));
@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam
sizeof(struct path_entry));
if(paths->name == NULL)
EXIT_UNSQUASH("Out of memory in add_path\n");
- paths->name[i].name = strdup(targname);
+ paths->name[i].name = targname;
paths->name[i].paths = NULL;
if(use_regex) {
paths->name[i].preg = malloc(sizeof(regex_t));
@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam
/*
* existing matching entry
*/
+ free(targname);
+
if(paths->name[i].paths == NULL) {
/*
* No sub-directory which means this is the leaf
Reference in New Issue View Git Blame Copy Permalink