LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16047 Commits
1 Branch
46 MiB
Tree: fa3d533655
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fa3d533655'
${ noResults }
openwrt-packages-dist/utils/squashfs-tools/patches/0004-vla-to-malloc.patch

474 lines
14 KiB
Raw Normal View History

squashfs-tools: fix segfault Unsquashfs was segfaulting. When examining in gdb the stack was corrupt. I found that converting the variable length arrays to malloc caused the stack corruption to not happen and the segfault went away. This is due to the musl pthread stack size being 80k by default. So the chance of a stack overflow is high. Signed-off-by: Colby Whitney <colby.whitney@luxul.com>
7 years ago
 
  1. diff -aurp a/squashfs-tools/unsquash-1.c b/squashfs-tools/unsquash-1.c

  2. --- a/squashfs-tools/unsquash-1.c	2014-09-18 20:16:18.000000000 -0600

  3. +++ b/squashfs-tools/unsquash-1.c	2017-08-29 13:18:14.403020644 -0600

  4. @@ -332,17 +332,19 @@ int read_uids_guids_1()

  5.  	guid_table = uid_table + sBlk.no_uids;
  6.  
  7.  	if(swap) {
  8. -		unsigned int suid_table[sBlk.no_uids + sBlk.no_guids];

  9. +		unsigned int* suid_table = malloc((sBlk.no_uids + sBlk.no_guids) * sizeof(unsigned int));

  10.  
  11.  		res = read_fs_bytes(fd, sBlk.uid_start, (sBlk.no_uids +
  12.  			sBlk.no_guids) * sizeof(unsigned int), suid_table);
  13.  		if(res == FALSE) {
  14. +			free(suid_table);

  15.  			ERROR("read_uids_guids: failed to read uid/gid table"
  16.  				"\n");
  17.  			return FALSE;
  18.  		}
  19.  		SQUASHFS_SWAP_INTS_3(uid_table, suid_table,
  20.  			sBlk.no_uids + sBlk.no_guids);
  21. +		free(suid_table);

  22.  	} else {
  23.  		res = read_fs_bytes(fd, sBlk.uid_start, (sBlk.no_uids +
  24.  			sBlk.no_guids) * sizeof(unsigned int), uid_table);
  25. diff -aurp a/squashfs-tools/unsquash-2.c b/squashfs-tools/unsquash-2.c

  26. --- a/squashfs-tools/unsquash-2.c	2014-09-18 20:16:18.000000000 -0600

  27. +++ b/squashfs-tools/unsquash-2.c	2017-08-29 13:23:48.111321548 -0600

  28. @@ -32,7 +32,7 @@ void read_block_list_2(unsigned int *blo

  29.  	TRACE("read_block_list: blocks %d\n", blocks);
  30.  
  31.  	if(swap) {
  32. -		unsigned int sblock_list[blocks];

  33. +		unsigned int* sblock_list = malloc(blocks*sizeof(unsigned int));

  34.  		memcpy(sblock_list, block_ptr, blocks * sizeof(unsigned int));
  35.  		SQUASHFS_SWAP_INTS_3(block_list, sblock_list, blocks);
  36.  	} else
  37. @@ -45,7 +45,7 @@ int read_fragment_table_2(long long *dir

  38.  	int res, i;
  39.  	int bytes = SQUASHFS_FRAGMENT_BYTES_2(sBlk.s.fragments);
  40.  	int indexes = SQUASHFS_FRAGMENT_INDEXES_2(sBlk.s.fragments);
  41. -	unsigned int fragment_table_index[indexes];

  42. +	unsigned int* fragment_table_index = malloc(indexes * sizeof(unsigned int));

  43.  
  44.  	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
  45.  		"from 0x%llx\n", sBlk.s.fragments, indexes,
  46. @@ -53,6 +53,7 @@ int read_fragment_table_2(long long *dir

  47.  
  48.  	if(sBlk.s.fragments == 0) {
  49.  		*directory_table_end = sBlk.s.fragment_table_start;
  50. +		free(fragment_table_index);

  51.  		return TRUE;
  52.  	}
  53.  
  54. @@ -62,7 +63,7 @@ int read_fragment_table_2(long long *dir

  55.  			"fragment table\n");
  56.  
  57.  	if(swap) {
  58. -		 unsigned int sfragment_table_index[indexes];

  59. +		 unsigned int* sfragment_table_index = malloc(indexes * sizeof(unsigned int));

  60.  
  61.  		 res = read_fs_bytes(fd, sBlk.s.fragment_table_start,
  62.  			SQUASHFS_FRAGMENT_INDEX_BYTES_2(sBlk.s.fragments),
  63. @@ -70,10 +71,14 @@ int read_fragment_table_2(long long *dir

  64.  		if(res == FALSE) {
  65.  			ERROR("read_fragment_table: failed to read fragment "
  66.  				"table index\n");
  67. +			free(sfragment_table_index);

  68. +			free(fragment_table_index);

  69.  			return FALSE;
  70.  		}
  71.  		SQUASHFS_SWAP_FRAGMENT_INDEXES_2(fragment_table_index,
  72.  			sfragment_table_index, indexes);
  73. +		

  74. +		free(sfragment_table_index);

  75.  	} else {
  76.  		res = read_fs_bytes(fd, sBlk.s.fragment_table_start,
  77.  			SQUASHFS_FRAGMENT_INDEX_BYTES_2(sBlk.s.fragments),
  78. @@ -81,6 +86,7 @@ int read_fragment_table_2(long long *dir

  79.  		if(res == FALSE) {
  80.  			ERROR("read_fragment_table: failed to read fragment "
  81.  				"table index\n");
  82. +			free(fragment_table_index);

  83.  			return FALSE;
  84.  		}
  85.  	}
  86. @@ -96,6 +102,7 @@ int read_fragment_table_2(long long *dir

  87.  		if(length == FALSE) {
  88.  			ERROR("read_fragment_table: failed to read fragment "
  89.  				"table block\n");
  90. +			free(fragment_table_index);

  91.  			return FALSE;
  92.  		}
  93.  	}
  94. @@ -111,6 +118,7 @@ int read_fragment_table_2(long long *dir

  95.  	}
  96.  
  97.  	*directory_table_end = fragment_table_index[0];
  98. +	free(fragment_table_index);

  99.  	return TRUE;
  100.  }
  101.  
  102. diff -aurp a/squashfs-tools/unsquash-3.c b/squashfs-tools/unsquash-3.c

  103. --- a/squashfs-tools/unsquash-3.c	2014-09-18 20:16:18.000000000 -0600

  104. +++ b/squashfs-tools/unsquash-3.c	2017-08-29 14:43:17.016089289 -0600

  105. @@ -32,7 +32,7 @@ int read_fragment_table_3(long long *dir

  106.  	int res, i;
  107.  	int bytes = SQUASHFS_FRAGMENT_BYTES_3(sBlk.s.fragments);
  108.  	int indexes = SQUASHFS_FRAGMENT_INDEXES_3(sBlk.s.fragments);
  109. -	long long fragment_table_index[indexes];

  110. +	long long* fragment_table_index = malloc(indexes * sizeof(long long));

  111.  
  112.  	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
  113.  		"from 0x%llx\n", sBlk.s.fragments, indexes,
  114. @@ -40,6 +40,7 @@ int read_fragment_table_3(long long *dir

  115.  
  116.  	if(sBlk.s.fragments == 0) {
  117.  		*directory_table_end = sBlk.s.fragment_table_start;
  118. +		free(fragment_table_index);

  119.  		return TRUE;
  120.  	}
  121.  
  122. @@ -49,7 +50,7 @@ int read_fragment_table_3(long long *dir

  123.  			"fragment table\n");
  124.  
  125.  	if(swap) {
  126. -		long long sfragment_table_index[indexes];

  127. +		long long* sfragment_table_index = malloc(indexes * sizeof(long long));

  128.  
  129.  		res = read_fs_bytes(fd, sBlk.s.fragment_table_start,
  130.  			SQUASHFS_FRAGMENT_INDEX_BYTES_3(sBlk.s.fragments),
  131. @@ -57,10 +58,13 @@ int read_fragment_table_3(long long *dir

  132.  		if(res == FALSE) {
  133.  			ERROR("read_fragment_table: failed to read fragment "
  134.  				"table index\n");       
  135. +			free(fragment_table_index);

  136. +			free(sfragment_table_index);

  137.  			return FALSE;
  138.  		}
  139.  		SQUASHFS_SWAP_FRAGMENT_INDEXES_3(fragment_table_index,
  140.  			sfragment_table_index, indexes);
  141. +		free(sfragment_table_index);

  142.  	} else {
  143.  		res = read_fs_bytes(fd, sBlk.s.fragment_table_start,
  144.  			SQUASHFS_FRAGMENT_INDEX_BYTES_3(sBlk.s.fragments),
  145. @@ -68,6 +72,7 @@ int read_fragment_table_3(long long *dir

  146.  		if(res == FALSE) {
  147.  			ERROR("read_fragment_table: failed to read fragment "
  148.  				"table index\n");       
  149. +			free(fragment_table_index);

  150.  			return FALSE;
  151.  		}
  152.  	}
  153. @@ -83,6 +88,7 @@ int read_fragment_table_3(long long *dir

  154.  		if(length == FALSE) {
  155.  			ERROR("read_fragment_table: failed to read fragment "
  156.  				"table block\n");       
  157. +			free(fragment_table_index);

  158.  			return FALSE;
  159.  		}
  160.  	}
  161. @@ -98,6 +104,7 @@ int read_fragment_table_3(long long *dir

  162.  	}
  163.  
  164.  	*directory_table_end = fragment_table_index[0];
  165. +	free(fragment_table_index);

  166.  	return TRUE;
  167.  }
  168.  
  169. diff -aurp a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c

  170. --- a/squashfs-tools/unsquash-4.c	2014-09-18 20:16:18.000000000 -0600

  171. +++ b/squashfs-tools/unsquash-4.c	2017-08-29 14:49:01.424441708 -0600

  172. @@ -33,7 +33,7 @@ int read_fragment_table_4(long long *dir

  173.  	int res, i;
  174.  	int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
  175.  	int  indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
  176. -	long long fragment_table_index[indexes];

  177. +	long long* fragment_table_index = malloc(indexes * sizeof(long long));

  178.  
  179.  	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
  180.  		"from 0x%llx\n", sBlk.s.fragments, indexes,
  181. @@ -41,6 +41,7 @@ int read_fragment_table_4(long long *dir

  182.  
  183.  	if(sBlk.s.fragments == 0) {
  184.  		*directory_table_end = sBlk.s.fragment_table_start;
  185. +		free(fragment_table_index);

  186.  		return TRUE;
  187.  	}
  188.  
  189. @@ -55,6 +56,7 @@ int read_fragment_table_4(long long *dir

  190.  	if(res == FALSE) {
  191.  		ERROR("read_fragment_table: failed to read fragment table "
  192.  			"index\n");
  193. +		free(fragment_table_index);

  194.  		return FALSE;
  195.  	}
  196.  	SQUASHFS_INSWAP_FRAGMENT_INDEXES(fragment_table_index, indexes);
  197. @@ -70,6 +72,7 @@ int read_fragment_table_4(long long *dir

  198.  		if(length == FALSE) {
  199.  			ERROR("read_fragment_table: failed to read fragment "
  200.  				"table index\n");
  201. +			free(fragment_table_index);

  202.  			return FALSE;
  203.  		}
  204.  	}
  205. @@ -78,6 +81,7 @@ int read_fragment_table_4(long long *dir

  206.  		SQUASHFS_INSWAP_FRAGMENT_ENTRY(&fragment_table[i]);
  207.  
  208.  	*directory_table_end = fragment_table_index[0];
  209. +	free(fragment_table_index);

  210.  	return TRUE;
  211.  }
  212.  
  213. @@ -356,13 +360,14 @@ int read_uids_guids_4()

  214.  	int res, i;
  215.  	int bytes = SQUASHFS_ID_BYTES(sBlk.s.no_ids);
  216.  	int indexes = SQUASHFS_ID_BLOCKS(sBlk.s.no_ids);
  217. -	long long id_index_table[indexes];

  218. +	long long* id_index_table = malloc(indexes * sizeof(long long));

  219.  
  220.  	TRACE("read_uids_guids: no_ids %d\n", sBlk.s.no_ids);
  221.  
  222.  	id_table = malloc(bytes);
  223.  	if(id_table == NULL) {
  224.  		ERROR("read_uids_guids: failed to allocate id table\n");
  225. +		free(id_index_table);

  226.  		return FALSE;
  227.  	}
  228.  
  229. @@ -370,6 +375,7 @@ int read_uids_guids_4()

  230.  		SQUASHFS_ID_BLOCK_BYTES(sBlk.s.no_ids), id_index_table);
  231.  	if(res == FALSE) {
  232.  		ERROR("read_uids_guids: failed to read id index table\n");
  233. +		free(id_index_table);

  234.  		return FALSE;
  235.  	}
  236.  	SQUASHFS_INSWAP_ID_BLOCKS(id_index_table, indexes);
  237. @@ -382,11 +388,13 @@ int read_uids_guids_4()

  238.  		if(res == FALSE) {
  239.  			ERROR("read_uids_guids: failed to read id table block"
  240.  				"\n");
  241. +			free(id_index_table);

  242.  			return FALSE;
  243.  		}
  244.  	}
  245.  
  246.  	SQUASHFS_INSWAP_INTS(id_table, sBlk.s.no_ids);
  247.  
  248. +	free(id_index_table);

  249.  	return TRUE;
  250.  }
  251. diff -aurp a/squashfs-tools/unsquashfs.c b/squashfs-tools/unsquashfs.c

  252. --- a/squashfs-tools/unsquashfs.c	2017-08-29 14:58:51.917037533 -0600

  253. +++ b/squashfs-tools/unsquashfs.c	2017-08-29 13:14:03.082818149 -0600

  254. @@ -691,7 +691,7 @@ int read_block(int fd, long long start,

  255.  		return 0;
  256.  
  257.  	if(compressed) {
  258. -		char buffer[c_byte];

  259. +		char* buffer = malloc(c_byte);

  260.  		int error;
  261.  
  262.  		res = read_fs_bytes(fd, start + offset, c_byte, buffer);
  263. @@ -704,8 +704,10 @@ int read_block(int fd, long long start,

  264.  		if(res == -1) {
  265.  			ERROR("%s uncompress failed with error code %d\n",
  266.  				comp->name, error);
  267. +			free(buffer);

  268.  			goto failed;
  269.  		}
  270. +		free(buffer);

  271.  	} else {
  272.  		res = read_fs_bytes(fd, start + offset, c_byte, block);
  273.  		if(res == FALSE)
  274. @@ -2097,7 +2099,7 @@ void *writer(void *arg)

  275.   */
  276.  void *inflator(void *arg)
  277.  {
  278. -	char tmp[block_size];

  279. +	char* tmp = malloc(block_size);

  280.  
  281.  	while(1) {
  282.  		struct cache_entry *entry = queue_get(to_inflate);
  283. @@ -2120,6 +2122,7 @@ void *inflator(void *arg)

  284.   		 */ 
  285.  		cache_block_ready(entry, res == -1);
  286.  	}
  287. +	free(tmp);

  288.  }
  289.  
  290.  
  291. diff -aurp a/squashfs-tools/mksquashfs.c b/squashfs-tools/mksquashfs.c

  292. --- a/squashfs-tools/mksquashfs.c	2017-09-05 15:09:19.090937121 -0600

  293. +++ b/squashfs-tools/mksquashfs.c	2017-09-01 09:58:11.274529037 -0600

  294. @@ -652,7 +652,7 @@ long long write_directories()

  295.  long long write_id_table()
  296.  {
  297.  	unsigned int id_bytes = SQUASHFS_ID_BYTES(id_count);
  298. -	unsigned int p[id_count];

  299. +	unsigned int* p = malloc(id_count * sizeof(unsigned int));

  300.  	int i;
  301.  
  302.  	TRACE("write_id_table: ids %d, id_bytes %d\n", id_count, id_bytes);
  303. @@ -655,6 +655,9 @@ long long write_id_table()

  304.  	unsigned int* p = malloc(id_count * sizeof(unsigned int));
  305.  	int i;
  306.  
  307. +	if(p == NULL)

  308. +		MEM_ERROR();

  309. +

  310.  	TRACE("write_id_table: ids %d, id_bytes %d\n", id_count, id_bytes);
  311.  	for(i = 0; i < id_count; i++) {
  312.  		TRACE("write_id_table: id index %d, id %d", i, id_table[i]->id);
  313. 

  314. @@ -661,6 +661,7 @@ long long write_id_table()

  315.  		SQUASHFS_SWAP_INTS(&id_table[i]->id, p + i, 1);
  316.  	}
  317.  
  318. +	free(p);

  319.  	return generic_write_table(id_bytes, p, 0, NULL, noI);
  320.  }
  321.  
  322. diff -aurp a/squashfs-tools/read_fs.c b/squashfs-tools/read_fs.c

  323. --- a/squashfs-tools/read_fs.c	2014-09-18 20:16:18.000000000 -0600

  324. +++ b/squashfs-tools/read_fs.c	2017-09-05 15:35:19.328547536 -0600

  325. @@ -77,18 +77,24 @@ int read_block(int fd, long long start,

  326.  		return 0;
  327.  
  328.  	if(compressed) {
  329. -		char buffer[c_byte];

  330. +		char* buffer = malloc(c_byte);

  331.  		int error;
  332.  
  333. +		if(buffer == NULL)

  334. +			MEM_ERROR();

  335. +

  336.  		res = read_fs_bytes(fd, start + 2, c_byte, buffer);
  337. -		if(res == 0)

  338. +		if(res == 0) {

  339. +			free(buffer);

  340.  			return 0;
  341. +		}

  342.  
  343.  		res = compressor_uncompress(comp, block, buffer, c_byte,
  344.  			outlen, &error);
  345.  		if(res == -1) {
  346.  			ERROR("%s uncompress failed with error code %d\n",
  347.  				comp->name, error);
  348. +			free(buffer);

  349.  			return 0;
  350.  		}
  351.  	} else {
  352. @@ -699,7 +705,7 @@ all_done:

  353.  unsigned int *read_id_table(int fd, struct squashfs_super_block *sBlk)
  354.  {
  355.  	int indexes = SQUASHFS_ID_BLOCKS(sBlk->no_ids);
  356. -	long long index[indexes];

  357. +	long long* index;

  358.  	int bytes = SQUASHFS_ID_BYTES(sBlk->no_ids);
  359.  	unsigned int *id_table;
  360.  	int res, i;
  361. @@ -708,12 +714,17 @@ unsigned int *read_id_table(int fd, stru

  362.  	if(id_table == NULL)
  363.  		MEM_ERROR();
  364.  
  365. +	index = malloc(indexes * sizeof(long long));

  366. +	if(index == NULL)

  367. +		MEM_ERROR();

  368. +

  369.  	res = read_fs_bytes(fd, sBlk->id_table_start,
  370.  		SQUASHFS_ID_BLOCK_BYTES(sBlk->no_ids), index);
  371.  	if(res == 0) {
  372.  		ERROR("Failed to read id table index\n");
  373.  		ERROR("Filesystem corrupted?\n");
  374.  		free(id_table);
  375. +		free(index);

  376.  		return NULL;
  377.  	}
  378.  
  379. @@ -732,6 +743,7 @@ unsigned int *read_id_table(int fd, stru

  380.  				"length %d\n", i, index[i], length);
  381.  			ERROR("Filesystem corrupted?\n");
  382.  			free(id_table);
  383. +			free(index);

  384.  			return NULL;
  385.  		}
  386.  	}
  387. @@ -753,14 +765,19 @@ int read_fragment_table(int fd, struct s

  388.  	int res, i;
  389.  	int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk->fragments);
  390.  	int indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk->fragments);
  391. -	long long fragment_table_index[indexes];

  392. +	long long* fragment_table_index = malloc(indexes * sizeof(long long));

  393. +

  394. +	if(fragment_table_index == NULL)

  395. +		MEM_ERROR();

  396.  
  397.  	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
  398.  		"from 0x%llx\n", sBlk->fragments, indexes,
  399.  		sBlk->fragment_table_start);
  400.  
  401. -	if(sBlk->fragments == 0)

  402. +	if(sBlk->fragments == 0) {

  403. +		free(fragment_table_index);

  404.  		return 1;
  405. +	}

  406.  
  407.  	*fragment_table = malloc(bytes);
  408.  	if(*fragment_table == NULL)
  409. @@ -773,6 +790,7 @@ int read_fragment_table(int fd, struct s

  410.  		ERROR("Failed to read fragment table index\n");
  411.  		ERROR("Filesystem corrupted?\n");
  412.  		free(*fragment_table);
  413. +		free(fragment_table_index);

  414.  		return 0;
  415.  	}
  416.  
  417. @@ -792,6 +810,7 @@ int read_fragment_table(int fd, struct s

  418.  				fragment_table_index[i], length);
  419.  			ERROR("Filesystem corrupted?\n");
  420.  			free(*fragment_table);
  421. +			free(fragment_table_index);

  422.  			return 0;
  423.  		}
  424.  	}
  425. @@ -799,6 +818,7 @@ int read_fragment_table(int fd, struct s

  426.  	for(i = 0; i < sBlk->fragments; i++)
  427.  		SQUASHFS_INSWAP_FRAGMENT_ENTRY(&(*fragment_table)[i]);
  428.  
  429. +	free(fragment_table_index);

  430.  	return 1;
  431.  }
  432.  
  433. @@ -808,11 +828,16 @@ int read_inode_lookup_table(int fd, stru

  434.  {
  435.  	int lookup_bytes = SQUASHFS_LOOKUP_BYTES(sBlk->inodes);
  436.  	int indexes = SQUASHFS_LOOKUP_BLOCKS(sBlk->inodes);
  437. -	long long index[indexes];

  438. +	long long* index = malloc(indexes * sizeof(long long));

  439.  	int res, i;
  440.  
  441. -	if(sBlk->lookup_table_start == SQUASHFS_INVALID_BLK)

  442. +	if(index == NULL)

  443. +		MEM_ERROR();

  444. +

  445. +	if(sBlk->lookup_table_start == SQUASHFS_INVALID_BLK) {

  446. +		free(index);

  447.  		return 1;
  448. +	}

  449.  
  450.  	*inode_lookup_table = malloc(lookup_bytes);
  451.  	if(*inode_lookup_table == NULL)
  452. @@ -824,6 +849,7 @@ int read_inode_lookup_table(int fd, stru

  453.  		ERROR("Failed to read inode lookup table index\n");
  454.  		ERROR("Filesystem corrupted?\n");
  455.  		free(*inode_lookup_table);
  456. +		free(index);

  457.  		return 0;
  458.  	}
  459.  
  460. @@ -843,12 +869,14 @@ int read_inode_lookup_table(int fd, stru

  461.  				length);
  462.  			ERROR("Filesystem corrupted?\n");
  463.  			free(*inode_lookup_table);
  464. +			free(index);

  465.  			return 0;
  466.  		}
  467.  	}
  468.  
  469.  	SQUASHFS_INSWAP_LONG_LONGS(*inode_lookup_table, sBlk->inodes);
  470.  
  471. +	free(index);

  472.  	return 1;
  473.  }
  474.