Djam/u-boot
1
0
Fork 0
mirror of https://github.com/u-boot/u-boot.git synced 2025-04-23 22:14:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

squashfs: Fix heap corruption in sqfs_search_dir()

Browse source 
res needs to be large enough to store both strings rem and target,
plus the path separator and the terminator.
Currently the space for the path separator is not accounted, so
the heap is corrupted by one byte.

Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
This commit is contained in:
Richard Weinberger 2024-08-02 22:05:09 +02:00 committed by Tom Rini
parent 4f5cc096bf
commit 048d795bb5
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
fs/squashfs/sqfs.c
View file

@ -567,8 +567,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
ret = -ENOMEM;
goto out;
}
/* Concatenate remaining tokens and symlink's target */
res = malloc(strlen(rem) + strlen(target) + 1);
/*
* Concatenate remaining tokens and symlink's target.
* Allocate enough space for rem, target, '/' and '\0'.
*/
res = malloc(strlen(rem) + strlen(target) + 2);
if (!res) {
ret = -ENOMEM;
goto out;