cpiofs: Buffer overflows and memory leak fixed
Andrew V. Samoilov
kai at cmail.ru
Tue Oct 30 10:19:38 UTC 2001
Hi!
This patch was proposed by drk at sgi.com and applied some time ago.
I don't know name of this person, but s/he proposed a number
of useful patches. Thanks a lot!
BTW, I have a number of cpio archives which enforce cpiofs to exit mc.
They have old ascii format (CPIO_OLDC, 3), but this one is not handled
in cpio_skip_padding and so g_assert_not_reached raises.
Old cpiofs without this g_assert_not_reached can manage these archives.
CPIO_OLDC is handled in cpio_read_header and cpio_find_header,
so I think patch can be trivial.
Regards,
Andrew.
ChangeLog:
* cpio.c (cpio_read_crc_head): Fix buffer overflow.
(cpio_read_oldc_head): Likewise. By drk at sgi.com.
http://bugzilla.gnome.org/show_bug.cgi?id=60933
* (cpio_read_oldc_head): Release name if mc_read fails.
--- vfs/cpio.c Mon Mar 5 03:20:03 2001
+++ vfs/cpio.c Thu Oct 25 17:28:04 2001
@@ -300,7 +300,7 @@
if((len = mc_read(super->u.cpio.fd, (void *)buf, HEAD_LENGTH)) < HEAD_LENGTH)
return STATUS_EOF;
CPIO_POS(super) += len;
- buf[HEAD_LENGTH + 1] = 0;
+ buf[HEAD_LENGTH] = 0;
if(sscanf((void *)buf, "070707%6lo%6lo%6lo%6lo%6lo%6lo%6lo%11lo%6lo%11lo",
&hd.c_dev, &hd.c_ino, &hd.c_mode, &hd.c_uid, &hd.c_gid,
@@ -311,9 +311,10 @@
}
name = g_malloc(hd.c_namesize);
- if((len = mc_read(super->u.cpio.fd, name, hd.c_namesize)) < hd.c_namesize)
+ if((len = mc_read(super->u.cpio.fd, name, hd.c_namesize)) < hd.c_namesize) {
+ g_free (name);
return STATUS_EOF;
-
+ }
CPIO_POS(super) += len;
cpio_skip_padding(super);
@@ -348,7 +349,7 @@
if((len = mc_read(super->u.cpio.fd, buf, HEAD_LENGTH)) < HEAD_LENGTH)
return STATUS_EOF;
CPIO_POS(super) += len;
- buf[HEAD_LENGTH + 1] = 0;
+ buf[HEAD_LENGTH] = 0;
if(sscanf(buf, "%6ho%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx",
&hd.c_magic, &hd.c_ino, &hd.c_mode, &hd.c_uid, &hd.c_gid,
More information about the mc-devel
mailing list