From 05fe97fcc7fb34110fb2ddd338cedc7477e41300 Mon Sep 17 00:00:00 2001 From: renxudong Date: Sun, 11 Aug 2019 01:04:50 -0400 Subject: [PATCH 3/8] unsquashfs-Be-more-explicit-when-file-system-corrupt --- squashfs-tools/unsquash-1.c | 8 ++++++-- squashfs-tools/unsquash-3.c | 8 ++++++-- squashfs-tools/unsquash-4.c | 8 ++++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c index 1cbf1b1..41888fb 100644 --- a/squashfs-tools/unsquash-1.c +++ b/squashfs-tools/unsquash-1.c @@ -264,8 +264,10 @@ struct dir *squashfs_opendir_1(unsigned int block_start, unsigned int offset, bytes += sizeof(dirh); /* dir_count should never be larger than SQUASHFS_DIR_COUNT */ - if(dir_count > SQUASHFS_DIR_COUNT) + if(dir_count > SQUASHFS_DIR_COUNT) { + ERROR("File system corrupted: too many entries in directory\n"); goto corrupted; + } while(dir_count--) { if(swap) { @@ -279,8 +281,10 @@ struct dir *squashfs_opendir_1(unsigned int block_start, unsigned int offset, bytes += sizeof(*dire); /* size should never be SQUASHFS_NAME_LEN or larger */ - if(dire->size >= SQUASHFS_NAME_LEN) + if(dire->size >= SQUASHFS_NAME_LEN) { + ERROR("File system corrupted: filename too long\n"); goto corrupted; + } memcpy(dire->name, directory_table + bytes, dire->size + 1); diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c index dc530bb..ac04a6a 100644 --- a/squashfs-tools/unsquash-3.c +++ b/squashfs-tools/unsquash-3.c @@ -342,8 +342,10 @@ struct dir *squashfs_opendir_3(unsigned int block_start, unsigned int offset, bytes += sizeof(dirh); /* dir_count should never be larger than SQUASHFS_DIR_COUNT */ - if(dir_count > SQUASHFS_DIR_COUNT) + if(dir_count > SQUASHFS_DIR_COUNT) { + ERROR("File system corrupted: too many entries in directory\n"); goto corrupted; + } while(dir_count--) { if(swap) { @@ -357,8 +359,10 @@ struct dir *squashfs_opendir_3(unsigned int block_start, unsigned int offset, bytes += sizeof(*dire); /* size should never be SQUASHFS_NAME_LEN or larger */ - if(dire->size >= SQUASHFS_NAME_LEN) + if(dire->size >= SQUASHFS_NAME_LEN) { + ERROR("File system corrupted: filename too long\n"); goto corrupted; + } memcpy(dire->name, directory_table + bytes, dire->size + 1); diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c index 58eb17d..05b0c5d 100644 --- a/squashfs-tools/unsquash-4.c +++ b/squashfs-tools/unsquash-4.c @@ -311,8 +311,10 @@ struct dir *squashfs_opendir_4(unsigned int block_start, unsigned int offset, bytes += sizeof(dirh); /* dir_count should never be larger than SQUASHFS_DIR_COUNT */ - if(dir_count > SQUASHFS_DIR_COUNT) + if(dir_count > SQUASHFS_DIR_COUNT) { + ERROR("File system corrupted: too many entries in directory\n"); goto corrupted; + } while(dir_count--) { SQUASHFS_SWAP_DIR_ENTRY(directory_table + bytes, dire); @@ -320,8 +322,10 @@ struct dir *squashfs_opendir_4(unsigned int block_start, unsigned int offset, bytes += sizeof(*dire); /* size should never be SQUASHFS_NAME_LEN or larger */ - if(dire->size >= SQUASHFS_NAME_LEN) + if(dire->size >= SQUASHFS_NAME_LEN) { + ERROR("File system corrupted: filename too long\n"); goto corrupted; + } memcpy(dire->name, directory_table + bytes, dire->size + 1); -- 1.8.3.1