!9 Fix CVE-2021-40153 CVE-2021-41072

From: @markeryang
Reviewed-by: @liuzhiqiang26
Signed-off-by: @liuzhiqiang26

0005-CVE-2021-40153.patch

@@ -0,0 +1,264 @@
+From 39971ca17a17520cefeb84f65e028d5004a579b2 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sat, 16 Jan 2021 20:08:55 +0000
+Subject: [PATCH] Unsquashfs: fix write outside destination directory exploit
+
+An issue on Github (https://github.com/plougher/squashfs-tools/issues/72)
+shows how some specially crafted Squashfs filesystems containing
+invalid file names (with '/' and ..) can cause Unsquashfs to write
+files outside of the destination directory.
+
+This commit fixes this exploit by checking all names for
+validity.
+
+In doing so I have also added checks for '.' and for names that
+are shorter than they should be (names in the file system should
+not have '\0' terminators).
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/Makefile        |  5 ++-
+ squashfs-tools/unsquash-1.c    |  9 +++++-
+ squashfs-tools/unsquash-1234.c | 58 ++++++++++++++++++++++++++++++++++
+ squashfs-tools/unsquash-2.c    |  9 +++++-
+ squashfs-tools/unsquash-3.c    |  9 +++++-
+ squashfs-tools/unsquash-4.c    |  9 +++++-
+ squashfs-tools/unsquashfs.c    |  4 +--
+ squashfs-tools/unsquashfs.h    |  5 ++-
+ 8 files changed, 100 insertions(+), 8 deletions(-)
+ create mode 100644 squashfs-tools/unsquash-1234.c
+
+diff --git a/squashfs-tools/Makefile b/squashfs-tools/Makefile
+index 46c0772..de06bb2 100644
+--- a/squashfs-tools/Makefile
++++ b/squashfs-tools/Makefile
+@@ -156,7 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o action.o swap.o pseudo.o compressor.o \
+ 	caches-queues-lists.o
+ 
+ UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
+-	unsquash-4.o unsquash-123.o unsquash-34.o swap.o compressor.o unsquashfs_info.o
++	unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
++	compressor.o unsquashfs_info.o
+ 
+ CFLAGS ?= -O2
+ CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
+@@ -350,6 +351,8 @@ unsquash-123.o: unsquashfs.h unsquash-123.c squashfs_fs.h squashfs_compat.h
+ 
+ unsquash-34.o: unsquashfs.h unsquash-34.c
+ 
++unsquash-1234.o: unsquash-1234.c
++
+ unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
+ 
+ unsquashfs_info.o: unsquashfs.h squashfs_fs.h
+diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
+index 34eced3..28326cb 100644
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -285,6 +285,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ 			memcpy(dire->name, directory_table + bytes,
+ 				dire->size + 1);
+ 			dire->name[dire->size + 1] = '\0';
++
++			/* check name for invalid characters (i.e /, ., ..) */
++			if(check_name(dire->name, dire->size + 1) == FALSE) {
++				ERROR("File system corrupted: invalid characters in name\n");
++				goto corrupted;
++			}
++
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-1234.c b/squashfs-tools/unsquash-1234.c
+new file mode 100644
+index 0000000..c2d4f42
+--- /dev/null
++++ b/squashfs-tools/unsquash-1234.c
+@@ -0,0 +1,58 @@
++/*
++ * Unsquash a squashfs filesystem.  This is a highly compressed read only
++ * filesystem.
++ *
++ * Copyright (c) 2021
++ * Phillip Lougher <phillip@squashfs.org.uk>
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2,
++ * or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++ *
++ * unsquash-1234.c
++ *
++ * Helper functions used by unsquash-1, unsquash-2, unsquash-3 and
++ * unsquash-4.
++ */
++
++#define TRUE 1
++#define FALSE 0
++/*
++ * Check name for validity, name should not
++ *  - be ".", "./", or
++ *  - be "..", "../" or
++ *  - have a "/" anywhere in the name, or
++ *  - be shorter than the expected size
++ */
++int check_name(char *name, int size)
++{
++	char *start = name;
++
++	if(name[0] == '.') {
++		if(name[1] == '.')
++			name++;
++		if(name[1] == '/' || name[1] == '\0')
++			return FALSE;
++	}
++
++	while(name[0] != '/' && name[0] != '\0')
++		name ++;
++
++	if(name[0] == '/')
++		return FALSE;
++
++	if((name - start) != size)
++		return FALSE;
++
++	return TRUE;
++}
+diff --git a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c
+index 4b3d767..474064e 100644
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2013, 2019
++ * Copyright (c) 2009, 2010, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -386,6 +386,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ 			memcpy(dire->name, directory_table + bytes,
+ 				dire->size + 1);
+ 			dire->name[dire->size + 1] = '\0';
++
++			/* check name for invalid characters (i.e /, ., ..) */
++			if(check_name(dire->name, dire->size + 1) == FALSE) {
++				ERROR("File system corrupted: invalid characters in name\n");
++				goto corrupted;
++			}
++
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
+index 02c31fc..65cfe4d 100644
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -413,6 +413,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ 			memcpy(dire->name, directory_table + bytes,
+ 				dire->size + 1);
+ 			dire->name[dire->size + 1] = '\0';
++
++			/* check name for invalid characters (i.e /, ., ..) */
++			if(check_name(dire->name, dire->size + 1) == FALSE) {
++				ERROR("File system corrupted: invalid characters in name\n");
++				goto corrupted;
++			}
++
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index 8475835..aa23a84 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -2,7 +2,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
++ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -349,6 +349,13 @@ static struct dir *squashfs_opendir(unsigned int block_start, unsigned int offse
+ 			memcpy(dire->name, directory_table + bytes,
+ 				dire->size + 1);
+ 			dire->name[dire->size + 1] = '\0';
++
++			/* check name for invalid characters (i.e /, ., ..) */
++			if(check_name(dire->name, dire->size + 1) == FALSE) {
++				ERROR("File system corrupted: invalid characters in name\n");
++				goto corrupted;
++			}
++
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+diff --git a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c
+index 727f1d5..f1c3552 100644
+--- a/squashfs-tools/unsquashfs.c
++++ b/squashfs-tools/unsquashfs.c
+@@ -2610,8 +2610,8 @@ int parse_number(char *start, int *res)
+ 
+ 
+ #define VERSION() \
+-	printf("unsquashfs version 4.4 (2019/08/29)\n");\
+-	printf("copyright (C) 2019 Phillip Lougher "\
++	printf("unsquashfs version 4.4-git (2021/01/17)\n");\
++	printf("copyright (C) 2021 Phillip Lougher "\
+ 		"<phillip@squashfs.org.uk>\n\n");\
+     	printf("This program is free software; you can redistribute it and/or"\
+ 		"\n");\
+diff --git a/squashfs-tools/unsquashfs.h b/squashfs-tools/unsquashfs.h
+index 934618b..db1da7a 100644
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -4,7 +4,7 @@
+  * Unsquash a squashfs filesystem.  This is a highly compressed read only
+  * filesystem.
+  *
+- * Copyright (c) 2009, 2010, 2013, 2014, 2019
++ * Copyright (c) 2009, 2010, 2013, 2014, 2019, 2021
+  * Phillip Lougher <phillip@squashfs.org.uk>
+  *
+  * This program is free software; you can redistribute it and/or
+@@ -261,4 +261,7 @@ extern int read_ids(int, long long, long long, unsigned int **);
+ 
+ /* unsquash-34.c */
+ extern long long *alloc_index_table(int);
++
++/* unsquash-1234.c */
++extern int check_name(char *, int);
+ #endif
+-- 
+2.23.0
+

0006-CVE-2021-41072.patch

@@ -0,0 +1,112 @@
+From 80b8441a37fcf8bf07dacf24d9d6c6459a0f6e36 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sun, 12 Sep 2021 19:58:19 +0100
+Subject: [PATCH] unsquashfs: use squashfs_closedir() to delete directory
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/unsquash-1.c    |  3 +--
+ squashfs-tools/unsquash-1234.c | 11 +++++++++--
+ squashfs-tools/unsquash-2.c    |  3 +--
+ squashfs-tools/unsquash-3.c    |  3 +--
+ squashfs-tools/unsquash-4.c    |  3 +--
+ squashfs-tools/unsquashfs.c    |  7 -------
+ squashfs-tools/unsquashfs.h    |  1 +
+ 7 files changed, 14 insertions(+), 17 deletions(-)
+
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -316,8 +316,7 @@ static struct dir *squashfs_opendir(unsi
+ 	return dir;
+ 
+ corrupted:
+-	free(dir->dirs);
+-	free(dir);
++	squashfs_closedir(dir);
+ 	return NULL;
+ }
+ 
+--- a/squashfs-tools/unsquash-1234.c
++++ b/squashfs-tools/unsquash-1234.c
+@@ -25,8 +25,8 @@
+  * unsquash-4.
+  */
+ 
+-#define TRUE 1
+-#define FALSE 0
++#include "unsquashfs.h"
++
+ /*
+  * Check name for validity, name should not
+  *  - be ".", "./", or
+@@ -56,3 +56,10 @@ int check_name(char *name, int size)
+ 
+ 	return TRUE;
+ }
++
++
++void squashfs_closedir(struct dir *dir)
++{
++	free(dir->dirs);
++	free(dir);
++}
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -417,8 +417,7 @@ static struct dir *squashfs_opendir(unsi
+ 	return dir;
+ 
+ corrupted:
+-	free(dir->dirs);
+-	free(dir);
++	squashfs_closedir(dir);
+ 	return NULL;
+ }
+ 
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -444,8 +444,7 @@ static struct dir *squashfs_opendir(unsi
+ 	return dir;
+ 
+ corrupted:
+-	free(dir->dirs);
+-	free(dir);
++	squashfs_closedir(dir);
+ 	return NULL;
+ }
+ 
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -380,8 +380,7 @@ static struct dir *squashfs_opendir(unsi
+ 	return dir;
+ 
+ corrupted:
+-	free(dir->dirs);
+-	free(dir);
++	squashfs_closedir(dir);
+ 	return NULL;
+ }
+ 
+--- a/squashfs-tools/unsquashfs.c
++++ b/squashfs-tools/unsquashfs.c
+@@ -1290,13 +1290,6 @@ unsigned int *offset, unsigned int *type
+ }
+ 
+ 
+-void squashfs_closedir(struct dir *dir)
+-{
+-	free(dir->dirs);
+-	free(dir);
+-}
+-
+-
+ char *get_component(char *target, char **targname)
+ {
+ 	char *start;
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -264,4 +264,5 @@ extern long long *alloc_index_table(int)
+ 
+ /* unsquash-1234.c */
+ extern int check_name(char *, int);
++extern void squashfs_closedir(struct dir *);
+ #endif

0007-CVE-2021-41072.patch

@@ -0,0 +1,87 @@
+From 1993a4e7aeda04962bf26e84c15fba8b58837e10 Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sun, 12 Sep 2021 20:09:13 +0100
+Subject: [PATCH] unsquashfs: dynamically allocate name
+
+Dynamically allocate name rather than store it
+directly in structure.
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/unsquash-1.c    | 2 +-
+ squashfs-tools/unsquash-1234.c | 5 +++++
+ squashfs-tools/unsquash-2.c    | 2 +-
+ squashfs-tools/unsquash-3.c    | 2 +-
+ squashfs-tools/unsquash-4.c    | 2 +-
+ squashfs-tools/unsquashfs.h    | 2 +-
+ 6 files changed, 10 insertions(+), 5 deletions(-)
+
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -303,7 +303,7 @@ static struct dir *squashfs_opendir(unsi
+ 						"realloc failed!\n");
+ 				dir->dirs = new_dir;
+ 			}
+-			strcpy(dir->dirs[dir->dir_count].name, dire->name);
++			dir->dirs[dir->dir_count].name = strdup(dire->name);
+ 			dir->dirs[dir->dir_count].start_block =
+ 				dirh.start_block;
+ 			dir->dirs[dir->dir_count].offset = dire->offset;
+--- a/squashfs-tools/unsquash-1234.c
++++ b/squashfs-tools/unsquash-1234.c
+@@ -60,6 +60,11 @@ int check_name(char *name, int size)
+ 
+ void squashfs_closedir(struct dir *dir)
+ {
++	int i;
++
++	for(i = 0; i < dir->dir_count; i++)
++		free(dir->dirs[i].name);
++
+ 	free(dir->dirs);
+ 	free(dir);
+ }
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -404,7 +404,7 @@ static struct dir *squashfs_opendir(unsi
+ 						"realloc failed!\n");
+ 				dir->dirs = new_dir;
+ 			}
+-			strcpy(dir->dirs[dir->dir_count].name, dire->name);
++			dir->dirs[dir->dir_count].name = strdup(dire->name);
+ 			dir->dirs[dir->dir_count].start_block =
+ 				dirh.start_block;
+ 			dir->dirs[dir->dir_count].offset = dire->offset;
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -431,7 +431,7 @@ static struct dir *squashfs_opendir(unsi
+ 						"realloc failed!\n");
+ 				dir->dirs = new_dir;
+ 			}
+-			strcpy(dir->dirs[dir->dir_count].name, dire->name);
++			dir->dirs[dir->dir_count].name = strdup(dire->name);
+ 			dir->dirs[dir->dir_count].start_block =
+ 				dirh.start_block;
+ 			dir->dirs[dir->dir_count].offset = dire->offset;
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -367,7 +367,7 @@ static struct dir *squashfs_opendir(unsi
+ 						"realloc failed!\n");
+ 				dir->dirs = new_dir;
+ 			}
+-			strcpy(dir->dirs[dir->dir_count].name, dire->name);
++			dir->dirs[dir->dir_count].name = strdup(dire->name);
+ 			dir->dirs[dir->dir_count].start_block =
+ 				dirh.start_block;
+ 			dir->dirs[dir->dir_count].offset = dire->offset;
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -165,7 +165,7 @@ struct queue {
+ #define DIR_ENT_SIZE	16
+ 
+ struct dir_ent	{
+-	char		name[SQUASHFS_NAME_LEN + 1];
++	char		*name;
+ 	unsigned int	start_block;
+ 	unsigned int	offset;
+ 	unsigned int	type;

0008-CVE-2021-41072.patch

@@ -0,0 +1,306 @@
+From 9938154174756ee48a94ea0b076397a2944b028d Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sun, 12 Sep 2021 22:58:11 +0100
+Subject: [PATCH] unsquashfs: use linked list to store directory names
+
+This should bring higher performance, and it allows sorting
+if necessary (1.x and 2.0 filesystems).
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/unsquash-1.c    | 30 +++++++++++++++---------------
+ squashfs-tools/unsquash-1234.c | 12 ++++++++----
+ squashfs-tools/unsquash-2.c    | 29 +++++++++++++++--------------
+ squashfs-tools/unsquash-3.c    | 29 +++++++++++++++--------------
+ squashfs-tools/unsquash-4.c    | 29 +++++++++++++++--------------
+ squashfs-tools/unsquashfs.c    | 16 ++++++++++------
+ squashfs-tools/unsquashfs.h    |  3 ++-
+ 7 files changed, 80 insertions(+), 68 deletions(-)
+
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -207,7 +207,7 @@ static struct dir *squashfs_opendir(unsi
+ 	long long start;
+ 	int bytes;
+ 	int dir_count, size;
+-	struct dir_ent *new_dir;
++	struct dir_ent *ent, *cur_ent = NULL;
+ 	struct dir *dir;
+ 
+ 	TRACE("squashfs_opendir: inode start block %d, offset %d\n",
+@@ -220,7 +220,7 @@ static struct dir *squashfs_opendir(unsi
+ 		EXIT_UNSQUASH("squashfs_opendir: malloc failed!\n");
+ 
+ 	dir->dir_count = 0;
+-	dir->cur_entry = 0;
++	dir->cur_entry = NULL;
+ 	dir->mode = (*i)->mode;
+ 	dir->uid = (*i)->uid;
+ 	dir->guid = (*i)->gid;
+@@ -295,19 +295,20 @@ static struct dir *squashfs_opendir(unsi
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+-			if((dir->dir_count % DIR_ENT_SIZE) == 0) {
+-				new_dir = realloc(dir->dirs, (dir->dir_count +
+-					DIR_ENT_SIZE) * sizeof(struct dir_ent));
+-				if(new_dir == NULL)
+-					EXIT_UNSQUASH("squashfs_opendir: "
+-						"realloc failed!\n");
+-				dir->dirs = new_dir;
+-			}
+-			dir->dirs[dir->dir_count].name = strdup(dire->name);
+-			dir->dirs[dir->dir_count].start_block =
+-				dirh.start_block;
+-			dir->dirs[dir->dir_count].offset = dire->offset;
+-			dir->dirs[dir->dir_count].type = dire->type;
++			ent = malloc(sizeof(struct dir_ent));
++			if(ent == NULL)
++				MEM_ERROR();
++
++			ent->name = strdup(dire->name);
++			ent->start_block = dirh.start_block;
++			ent->offset = dire->offset;
++			ent->type = dire->type;
++			ent->next = NULL;
++			if(cur_ent == NULL)
++				dir->dirs = ent;
++			else
++				cur_ent->next = ent;
++			cur_ent = ent;
+ 			dir->dir_count ++;
+ 			bytes += dire->size + 1;
+ 		}
+--- a/squashfs-tools/unsquash-1234.c
++++ b/squashfs-tools/unsquash-1234.c
+@@ -60,11 +60,15 @@ int check_name(char *name, int size)
+ 
+ void squashfs_closedir(struct dir *dir)
+ {
+-	int i;
++	struct dir_ent *ent = dir->dirs;
+ 
+-	for(i = 0; i < dir->dir_count; i++)
+-		free(dir->dirs[i].name);
++	while(ent) {
++		struct dir_ent *tmp = ent;
++
++		ent = ent->next;
++		free(tmp->name);
++		free(tmp);
++	}
+ 
+-	free(dir->dirs);
+ 	free(dir);
+ }
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -308,7 +308,7 @@ static struct dir *squashfs_opendir(unsi
+ 	long long start;
+ 	int bytes;
+ 	int dir_count, size;
+-	struct dir_ent *new_dir;
++	struct dir_ent *ent, *cur_ent = NULL;
+ 	struct dir *dir;
+ 
+ 	TRACE("squashfs_opendir: inode start block %d, offset %d\n",
+@@ -321,7 +321,7 @@ static struct dir *squashfs_opendir(unsi
+ 		EXIT_UNSQUASH("squashfs_opendir: malloc failed!\n");
+ 
+ 	dir->dir_count = 0;
+-	dir->cur_entry = 0;
++	dir->cur_entry = NULL;
+ 	dir->mode = (*i)->mode;
+ 	dir->uid = (*i)->uid;
+ 	dir->guid = (*i)->gid;
+@@ -396,19 +396,20 @@ static struct dir *squashfs_opendir(unsi
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+-			if((dir->dir_count % DIR_ENT_SIZE) == 0) {
+-				new_dir = realloc(dir->dirs, (dir->dir_count +
+-					DIR_ENT_SIZE) * sizeof(struct dir_ent));
+-				if(new_dir == NULL)
+-					EXIT_UNSQUASH("squashfs_opendir: "
+-						"realloc failed!\n");
+-				dir->dirs = new_dir;
+-			}
+-			dir->dirs[dir->dir_count].name = strdup(dire->name);
+-			dir->dirs[dir->dir_count].start_block =
+-				dirh.start_block;
+-			dir->dirs[dir->dir_count].offset = dire->offset;
+-			dir->dirs[dir->dir_count].type = dire->type;
++			ent = malloc(sizeof(struct dir_ent));
++			if(ent == NULL)
++				MEM_ERROR();
++
++                        ent->name = strdup(dire->name);
++			ent->start_block = dirh.start_block;
++			ent->offset = dire->offset;
++			ent->type = dire->type;
++			ent->next = NULL;
++			if(cur_ent == NULL)
++				dir->dirs = ent;
++			else
++				cur_ent->next = ent;
++			cur_ent = ent;
+ 			dir->dir_count ++;
+ 			bytes += dire->size + 1;
+ 		}
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -334,7 +334,7 @@ static struct dir *squashfs_opendir(unsi
+ 	long long start;
+ 	int bytes;
+ 	int dir_count, size;
+-	struct dir_ent *new_dir;
++	struct dir_ent *ent, *cur_ent = NULL;
+ 	struct dir *dir;
+ 
+ 	TRACE("squashfs_opendir: inode start block %d, offset %d\n",
+@@ -347,7 +347,7 @@ static struct dir *squashfs_opendir(unsi
+ 		EXIT_UNSQUASH("squashfs_opendir: malloc failed!\n");
+ 
+ 	dir->dir_count = 0;
+-	dir->cur_entry = 0;
++	dir->cur_entry = NULL;
+ 	dir->mode = (*i)->mode;
+ 	dir->uid = (*i)->uid;
+ 	dir->guid = (*i)->gid;
+@@ -423,19 +423,20 @@ static struct dir *squashfs_opendir(unsi
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+-			if((dir->dir_count % DIR_ENT_SIZE) == 0) {
+-				new_dir = realloc(dir->dirs, (dir->dir_count +
+-					DIR_ENT_SIZE) * sizeof(struct dir_ent));
+-				if(new_dir == NULL)
+-					EXIT_UNSQUASH("squashfs_opendir: "
+-						"realloc failed!\n");
+-				dir->dirs = new_dir;
+-			}
+-			dir->dirs[dir->dir_count].name = strdup(dire->name);
+-			dir->dirs[dir->dir_count].start_block =
+-				dirh.start_block;
+-			dir->dirs[dir->dir_count].offset = dire->offset;
+-			dir->dirs[dir->dir_count].type = dire->type;
++			ent = malloc(sizeof(struct dir_ent));
++			if(ent == NULL)
++				MEM_ERROR();
++
++                        ent->name = strdup(dire->name);
++			ent->start_block = dirh.start_block;
++			ent->offset = dire->offset;
++			ent->type = dire->type;
++			ent->next = NULL;
++			if(cur_ent == NULL)
++				dir->dirs = ent;
++			else
++				cur_ent->next = ent;
++			cur_ent = ent;
+ 			dir->dir_count ++;
+ 			bytes += dire->size + 1;
+ 		}
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -281,7 +281,7 @@ static struct dir *squashfs_opendir(unsi
+ 	long long start;
+ 	long long bytes;
+ 	int dir_count, size;
+-	struct dir_ent *new_dir;
++	struct dir_ent *ent, *cur_ent = NULL;
+ 	struct dir *dir;
+ 
+ 	TRACE("squashfs_opendir: inode start block %d, offset %d\n",
+@@ -294,7 +294,7 @@ static struct dir *squashfs_opendir(unsi
+ 		EXIT_UNSQUASH("squashfs_opendir: malloc failed!\n");
+ 
+ 	dir->dir_count = 0;
+-	dir->cur_entry = 0;
++	dir->cur_entry = NULL;
+ 	dir->mode = (*i)->mode;
+ 	dir->uid = (*i)->uid;
+ 	dir->guid = (*i)->gid;
+@@ -359,19 +359,20 @@ static struct dir *squashfs_opendir(unsi
+ 			TRACE("squashfs_opendir: directory entry %s, inode "
+ 				"%d:%d, type %d\n", dire->name,
+ 				dirh.start_block, dire->offset, dire->type);
+-			if((dir->dir_count % DIR_ENT_SIZE) == 0) {
+-				new_dir = realloc(dir->dirs, (dir->dir_count +
+-					DIR_ENT_SIZE) * sizeof(struct dir_ent));
+-				if(new_dir == NULL)
+-					EXIT_UNSQUASH("squashfs_opendir: "
+-						"realloc failed!\n");
+-				dir->dirs = new_dir;
+-			}
+-			dir->dirs[dir->dir_count].name = strdup(dire->name);
+-			dir->dirs[dir->dir_count].start_block =
+-				dirh.start_block;
+-			dir->dirs[dir->dir_count].offset = dire->offset;
+-			dir->dirs[dir->dir_count].type = dire->type;
++			ent = malloc(sizeof(struct dir_ent));
++			if(ent == NULL)
++				MEM_ERROR();
++
++			ent->name = strdup(dire->name);
++			ent->start_block = dirh.start_block;
++			ent->offset = dire->offset;
++			ent->type = dire->type;
++			ent->next = NULL;
++			if(cur_ent == NULL)
++				dir->dirs = ent;
++			else
++				cur_ent->next = ent;
++			cur_ent = ent;
+ 			dir->dir_count ++;
+ 			bytes += dire->size + 1;
+ 		}
+--- a/squashfs-tools/unsquashfs.c
++++ b/squashfs-tools/unsquashfs.c
+@@ -1277,14 +1277,18 @@ failed:
+ int squashfs_readdir(struct dir *dir, char **name, unsigned int *start_block,
+ unsigned int *offset, unsigned int *type)
+ {
+-	if(dir->cur_entry == dir->dir_count)
++	if(dir->cur_entry == NULL)
++		dir->cur_entry = dir->dirs;
++	else
++		dir->cur_entry = dir->cur_entry->next;
++
++	if(dir->cur_entry == NULL)
+ 		return FALSE;
+ 
+-	*name = dir->dirs[dir->cur_entry].name;
+-	*start_block = dir->dirs[dir->cur_entry].start_block;
+-	*offset = dir->dirs[dir->cur_entry].offset;
+-	*type = dir->dirs[dir->cur_entry].type;
+-	dir->cur_entry ++;
++	*name = dir->cur_entry->name;
++	*start_block = dir->cur_entry->start_block;
++	*offset = dir->cur_entry->offset;
++	*type = dir->cur_entry->type;
+ 
+ 	return TRUE;
+ }
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -169,17 +169,18 @@ struct dir_ent	{
+ 	unsigned int	start_block;
+ 	unsigned int	offset;
+ 	unsigned int	type;
++	struct dir_ent	*next;
+ };
+ 
+ struct dir {
+ 	int		dir_count;
+-	int 		cur_entry;
+ 	unsigned int	mode;
+ 	uid_t		uid;
+ 	gid_t		guid;
+ 	unsigned int	mtime;
+ 	unsigned int xattr;
+ 	struct dir_ent	*dirs;
++	struct dir_ent	*cur_entry;
+ };
+ 
+ struct file_entry {

0009-CVE-2021-41072.patch

@@ -0,0 +1,289 @@
+From e0485802ec72996c20026da320650d8362f555bd Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Sun, 12 Sep 2021 23:50:06 +0100
+Subject: [PATCH] Unsquashfs: additional write outside destination directory
+ exploit fix
+
+An issue on github (https://github.com/plougher/squashfs-tools/issues/72)
+showed how some specially crafted Squashfs filesystems containing
+invalid file names (with '/' and '..') can cause Unsquashfs to write
+files outside of the destination directory.
+
+Since then it has been shown that specially crafted Squashfs filesystems
+that contain a symbolic link pointing outside of the destination directory,
+coupled with an identically named file within the same directory, can
+cause Unsquashfs to write files outside of the destination directory.
+
+Specifically the symbolic link produces a pathname pointing outside
+of the destination directory, which is then followed when writing the
+duplicate identically named file within the directory.
+
+This commit fixes this exploit by explictly checking for duplicate
+filenames within a directory.  As directories in v2.1, v3.x, and v4.0
+filesystems are sorted, this is achieved by checking for consecutively
+identical filenames.  Additionally directories are checked to
+ensure they are sorted, to avoid attempts to evade the duplicate
+check.
+
+Version 1.x and 2.0 filesystems (where the directories were unsorted)
+are sorted and then the above duplicate filename check is applied.
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/Makefile        |   6 +-
+ squashfs-tools/unsquash-1.c    |   6 ++
+ squashfs-tools/unsquash-12.c   | 110 +++++++++++++++++++++++++++++++++
+ squashfs-tools/unsquash-1234.c |  21 +++++++
+ squashfs-tools/unsquash-2.c    |  16 +++++
+ squashfs-tools/unsquash-3.c    |   6 ++
+ squashfs-tools/unsquash-4.c    |   6 ++
+ squashfs-tools/unsquashfs.h    |   4 ++
+ 8 files changed, 173 insertions(+), 2 deletions(-)
+ create mode 100644 squashfs-tools/unsquash-12.c
+
+--- a/squashfs-tools/Makefile
++++ b/squashfs-tools/Makefile
+@@ -156,8 +156,8 @@ MKSQUASHFS_OBJS = mksquashfs.o read_fs.o
+ 	caches-queues-lists.o
+ 
+ UNSQUASHFS_OBJS = unsquashfs.o unsquash-1.o unsquash-2.o unsquash-3.o \
+-	unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o swap.o \
+-	compressor.o unsquashfs_info.o
++	unsquash-4.o unsquash-123.o unsquash-34.o unsquash-1234.o unsquash-12.o \
++	swap.o compressor.o unsquashfs_info.o
+ 
+ CFLAGS ?= -O2
+ CFLAGS += $(EXTRA_CFLAGS) $(INCLUDEDIR) -D_FILE_OFFSET_BITS=64 \
+@@ -353,6 +353,8 @@ unsquash-34.o: unsquashfs.h unsquash-34.
+ 
+ unsquash-1234.o: unsquash-1234.c
+ 
++unsquash-1234.o: unsquash-12.c
++
+ unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
+ 
+ unsquashfs_info.o: unsquashfs.h squashfs_fs.h
+--- a/squashfs-tools/unsquash-1.c
++++ b/squashfs-tools/unsquash-1.c
+@@ -314,6 +314,12 @@ static struct dir *squashfs_opendir(unsi
+ 		}
+ 	}
+ 
++	/* check directory for duplicate names.  Need to sort directory first */
++	sort_directory(dir);
++	if(check_directory(dir) == FALSE) {
++		ERROR("File system corrupted: directory has duplicate names\n");
++		goto corrupted;
++	}
+ 	return dir;
+ 
+ corrupted:
+--- /dev/null
++++ b/squashfs-tools/unsquash-12.c
+@@ -0,0 +1,110 @@
++/*
++ * Unsquash a squashfs filesystem.  This is a highly compressed read only
++ * filesystem.
++ *
++ * Copyright (c) 2021
++ * Phillip Lougher <phillip@squashfs.org.uk>
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License
++ * as published by the Free Software Foundation; either version 2,
++ * or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++ *
++ * unsquash-12.c
++ *
++ * Helper functions used by unsquash-1 and unsquash-2.
++ */
++
++#include "unsquashfs.h"
++
++/*
++ * Bottom up linked list merge sort.
++ *
++ */
++void sort_directory(struct dir *dir)
++{
++	struct dir_ent *cur, *l1, *l2, *next;
++	int len1, len2, stride = 1;
++
++	if(dir->dir_count < 2)
++		return;
++
++	/*
++	 * We can consider our linked-list to be made up of stride length
++	 * sublists.  Eacn iteration around this loop merges adjacent
++	 * stride length sublists into larger 2*stride sublists.  We stop
++	 * when stride becomes equal to the entire list.
++	 *
++	 * Initially stride = 1 (by definition a sublist of 1 is sorted), and
++	 * these 1 element sublists are merged into 2 element sublists,  which
++	 * are then merged into 4 element sublists and so on.
++	 */
++	do {
++		l2 = dir->dirs; /* head of current linked list */
++		cur = NULL; /* empty output list */
++
++		/*
++		 * Iterate through the linked list, merging adjacent sublists.
++		 * On each interation l2 points to the next sublist pair to be
++		 * merged (if there's only one sublist left this is simply added
++		 * to the output list)
++		 */
++		while(l2) {
++			l1 = l2;
++			for(len1 = 0; l2 && len1 < stride; len1 ++, l2 = l2->next);
++			len2 = stride;
++
++			/*
++			 * l1 points to first sublist.
++			 * l2 points to second sublist.
++			 * Merge them onto the output list
++			 */
++			while(len1 && l2 && len2) {
++				if(strcmp(l1->name, l2->name) <= 0) {
++					next = l1;
++					l1 = l1->next;
++					len1 --;
++				} else {
++					next = l2;
++					l2 = l2->next;
++					len2 --;
++				}
++
++				if(cur) {
++					cur->next = next;
++					cur = next;
++				} else
++					dir->dirs = cur = next;
++			}
++			/*
++			 * One sublist is now empty, copy the other one onto the
++			 * output list
++			 */
++			for(; len1; len1 --, l1 = l1->next) {
++				if(cur) {
++					cur->next = l1;
++					cur = l1;
++				} else
++					dir->dirs = cur = l1;
++			}
++			for(; l2 && len2; len2 --, l2 = l2->next) {
++				if(cur) {
++					cur->next = l2;
++					cur = l2;
++				} else
++					dir->dirs = cur = l2;
++			}
++		}
++		cur->next = NULL;
++		stride = stride << 1;
++	} while(stride < dir->dir_count);
++}
+--- a/squashfs-tools/unsquash-1234.c
++++ b/squashfs-tools/unsquash-1234.c
+@@ -72,3 +72,24 @@ void squashfs_closedir(struct dir *dir)
+ 
+ 	free(dir);
+ }
++
++
++/*
++ * Check directory for duplicate names.  As the directory should be sorted,
++ * duplicates will be consecutive.  Obviously we also need to check if the
++ * directory has been deliberately unsorted, to evade this check.
++ */
++int check_directory(struct dir *dir)
++{
++	int i;
++	struct dir_ent *ent;
++
++	if(dir->dir_count < 2)
++		return TRUE;
++
++	for(ent = dir->dirs, i = 0; i < dir->dir_count - 1; ent = ent->next, i++)
++		if(strcmp(ent->name, ent->next->name) >= 0)
++			return FALSE;
++
++	return TRUE;
++}
+--- a/squashfs-tools/unsquash-2.c
++++ b/squashfs-tools/unsquash-2.c
+@@ -29,6 +29,7 @@ static squashfs_fragment_entry_2 *fragme
+ static unsigned int *uid_table, *guid_table;
+ static char *inode_table, *directory_table;
+ static squashfs_operations ops;
++static int needs_sorting = FALSE;
+ 
+ static void read_block_list(unsigned int *block_list, char *block_ptr, int blocks)
+ {
+@@ -415,6 +416,17 @@ static struct dir *squashfs_opendir(unsi
+ 		}
+ 	}
+ 
++	if(needs_sorting)
++		sort_directory(dir);
++
++	/* check directory for duplicate names and sorting */
++	if(check_directory(dir) == FALSE) {
++		if(needs_sorting)
++			ERROR("File system corrupted: directory has duplicate names\n");
++		else
++			ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
++		goto corrupted;
++	}
+ 	return dir;
+ 
+ corrupted:
+--- a/squashfs-tools/unsquash-3.c
++++ b/squashfs-tools/unsquash-3.c
+@@ -442,6 +442,12 @@ static struct dir *squashfs_opendir(unsi
+ 		}
+ 	}
+ 
++	/* check directory for duplicate names and sorting */
++	if(check_directory(dir) == FALSE) {
++		ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
++		goto corrupted;
++	}
++
+ 	return dir;
+ 
+ corrupted:
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -378,6 +378,12 @@ static struct dir *squashfs_opendir(unsi
+ 		}
+ 	}
+ 
++	/* check directory for duplicate names and sorting */
++	if(check_directory(dir) == FALSE) {
++		ERROR("File system corrupted: directory has duplicate names or is unsorted\n");
++		goto corrupted;
++	}
++
+ 	return dir;
+ 
+ corrupted:
+--- a/squashfs-tools/unsquashfs.h
++++ b/squashfs-tools/unsquashfs.h
+@@ -266,4 +266,8 @@ extern long long *alloc_index_table(int)
+ /* unsquash-1234.c */
+ extern int check_name(char *, int);
+ extern void squashfs_closedir(struct dir *);
++extern int check_directory(struct dir *);
++
++/* unsquash-12.c */
++extern void sort_directory(struct dir *);
+ #endif

0010-CVE-2021-41072.patch

@@ -0,0 +1,21 @@
+From 19fcc9365dcdb2c22d232d42d11012940df64b7c Mon Sep 17 00:00:00 2001
+From: Phillip Lougher <phillip@squashfs.org.uk>
+Date: Tue, 14 Sep 2021 05:41:27 +0100
+Subject: [PATCH] Unsquashfs: Add makefile entry for unsquash-12.o
+
+Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
+---
+ squashfs-tools/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/squashfs-tools/Makefile
++++ b/squashfs-tools/Makefile
+@@ -353,7 +353,7 @@ unsquash-34.o: unsquashfs.h unsquash-34.
+ 
+ unsquash-1234.o: unsquash-1234.c
+ 
+-unsquash-1234.o: unsquash-12.c
++unsquash-12.o: unsquash-12.c unsquashfs.h
+ 
+ unsquashfs_xattr.o: unsquashfs_xattr.c unsquashfs.h squashfs_fs.h xattr.h
+ 

squashfs-tools.spec

@@ -1,6 +1,6 @@
 Name:     squashfs-tools
 Version:  4.4
-Release:  4
+Release:  5
 Summary:  Utility for the squashfs filesystems
 License:  GPLv2+
 URL:      http://squashfs.sourceforge.net/
@@ -11,6 +11,12 @@ Patch1:  0001-Fix-typos-update-URLs-in-squashfs-tools-Makefile.patch
 Patch2:  0002-Support-creating-sockets-in-unsquashfs.patch
 Patch3:  0003-squashfs-tools-fix-build-failure-against-gcc-10.patch
 Patch4:  0004-xattr-Initialize-header-to-avoid-valgrind-warning.patch
+Patch5:  0005-CVE-2021-40153.patch
+Patch6:  0006-CVE-2021-41072.patch
+Patch7:  0007-CVE-2021-41072.patch
+Patch8:  0008-CVE-2021-41072.patch
+Patch9:  0009-CVE-2021-41072.patch
+Patch10: 0010-CVE-2021-41072.patch
 
 BuildRequires: zlib-devel xz-devel libzstd-devel 
 BuildRequires: lzo-devel libattr-devel lz4-devel gcc
@@ -41,6 +47,9 @@ install -D -m 755 squashfs-tools/unsquashfs %{buildroot}%{_sbindir}/unsquashfs
 
 
 %changelog
+* Tue Nov 9 2021 yanglongkang <yanglongkang@huawei.com> - 4.4-5
+- Fix CVE-2021-41053 CVE-2021-41072
+
 * Fri Jul 30 2021 chenyanpanHW <chenyanpan@huawei.com> - 4.4-4
 - DESC: delete -S git from %autosetup, and delete BuildRequires git