87 lines
3.1 KiB
Diff
87 lines
3.1 KiB
Diff
From 8f542d9f0222302b44fca861031ccf09e78d9be5 Mon Sep 17 00:00:00 2001
|
|
From: renxudong <renxudong1@huawei.com>
|
|
Date: Sun, 11 Aug 2019 01:01:03 -0400
|
|
Subject: [PATCH 1/8] unsquashfs-Fix-one-off-error-in-name-length-check
|
|
|
|
---
|
|
squashfs-tools/unsquash-1.c | 6 +++---
|
|
squashfs-tools/unsquash-3.c | 6 +++---
|
|
squashfs-tools/unsquash-4.c | 6 +++---
|
|
3 files changed, 9 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c
|
|
index c2e7d38..6209243 100644
|
|
--- a/squashfs-tools/unsquash-1.c
|
|
+++ b/squashfs-tools/unsquash-1.c
|
|
@@ -2,7 +2,7 @@
|
|
* Unsquash a squashfs filesystem. This is a highly compressed read only
|
|
* filesystem.
|
|
*
|
|
- * Copyright (c) 2009, 2010, 2011, 2012
|
|
+ * Copyright (c) 2009, 2010, 2011, 2012, 2019
|
|
* Phillip Lougher <phillip@squashfs.org.uk>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
@@ -278,8 +278,8 @@ struct dir *squashfs_opendir_1(unsigned int block_start, unsigned int offset,
|
|
sizeof(*dire));
|
|
bytes += sizeof(*dire);
|
|
|
|
- /* size should never be larger than SQUASHFS_NAME_LEN */
|
|
- if(dire->size > SQUASHFS_NAME_LEN)
|
|
+ /* size should never be SQUASHFS_NAME_LEN or larger */
|
|
+ if(dire->size >= SQUASHFS_NAME_LEN)
|
|
goto corrupted;
|
|
|
|
memcpy(dire->name, directory_table + bytes,
|
|
diff --git a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c
|
|
index d5af57a..92e18c5 100644
|
|
--- a/squashfs-tools/unsquash-3.c
|
|
+++ b/squashfs-tools/unsquash-3.c
|
|
@@ -2,7 +2,7 @@
|
|
* Unsquash a squashfs filesystem. This is a highly compressed read only
|
|
* filesystem.
|
|
*
|
|
- * Copyright (c) 2009, 2010, 2011, 2012, 2013
|
|
+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
|
|
* Phillip Lougher <phillip@squashfs.org.uk>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
@@ -356,8 +356,8 @@ struct dir *squashfs_opendir_3(unsigned int block_start, unsigned int offset,
|
|
sizeof(*dire));
|
|
bytes += sizeof(*dire);
|
|
|
|
- /* size should never be larger than SQUASHFS_NAME_LEN */
|
|
- if(dire->size > SQUASHFS_NAME_LEN)
|
|
+ /* size should never be SQUASHFS_NAME_LEN or larger */
|
|
+ if(dire->size >= SQUASHFS_NAME_LEN)
|
|
goto corrupted;
|
|
|
|
memcpy(dire->name, directory_table + bytes,
|
|
diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
|
|
index 9414016..cf30ec1 100644
|
|
--- a/squashfs-tools/unsquash-4.c
|
|
+++ b/squashfs-tools/unsquash-4.c
|
|
@@ -2,7 +2,7 @@
|
|
* Unsquash a squashfs filesystem. This is a highly compressed read only
|
|
* filesystem.
|
|
*
|
|
- * Copyright (c) 2009, 2010, 2011, 2012, 2013
|
|
+ * Copyright (c) 2009, 2010, 2011, 2012, 2013, 2019
|
|
* Phillip Lougher <phillip@squashfs.org.uk>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
@@ -319,8 +319,8 @@ struct dir *squashfs_opendir_4(unsigned int block_start, unsigned int offset,
|
|
|
|
bytes += sizeof(*dire);
|
|
|
|
- /* size should never be larger than SQUASHFS_NAME_LEN */
|
|
- if(dire->size > SQUASHFS_NAME_LEN)
|
|
+ /* size should never be SQUASHFS_NAME_LEN or larger */
|
|
+ if(dire->size >= SQUASHFS_NAME_LEN)
|
|
goto corrupted;
|
|
|
|
memcpy(dire->name, directory_table + bytes,
|
|
--
|
|
1.8.3.1
|
|
|