1 |
From: Phillip Lougher <phillip@squashfs.org.uk> |
2 |
Date: Thu, 22 Nov 2012 04:58:39 +0000 (+0000) |
3 |
Subject: unsquashfs: fix CVE-2012-4024 |
4 |
X-Git-Url: http://squashfs.git.sourceforge.net/git/gitweb.cgi?p=squashfs%2Fsquashfs;a=commitdiff_plain;h=19c38fba0be1ce949ab44310d7f49887576cc123;hp=f7bbe5a202648b505879e2570672c012498f31fb |
5 |
|
6 |
unsquashfs: fix CVE-2012-4024 |
7 |
|
8 |
Fix potential stack overflow in get_component() where an individual |
9 |
pathname component in an extract file (specified on the command line |
10 |
or in an extract file) could exceed the 1024 byte sized targname |
11 |
allocated on the stack. |
12 |
|
13 |
Fix by dynamically allocating targname rather than storing it as |
14 |
a fixed size on the stack. |
15 |
|
16 |
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk> |
17 |
--- |
18 |
|
19 |
diff -Nurp squashfs4.2/squashfs-tools/unsquashfs.c squashfs4.2-fix1/squashfs-tools/unsquashfs.c |
20 |
--- squashfs4.2/squashfs-tools/unsquashfs.c 2013-01-03 18:23:53.122876501 +0200 |
21 |
+++ squashfs4.2-fix1/squashfs-tools/unsquashfs.c 2013-01-03 18:25:58.835643093 +0200 |
22 |
@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir) |
23 |
} |
24 |
|
25 |
|
26 |
-char *get_component(char *target, char *targname) |
27 |
+char *get_component(char *target, char **targname) |
28 |
{ |
29 |
+ char *start; |
30 |
+ |
31 |
while(*target == '/') |
32 |
target ++; |
33 |
|
34 |
+ start = target; |
35 |
while(*target != '/' && *target!= '\0') |
36 |
- *targname ++ = *target ++; |
37 |
+ target ++; |
38 |
|
39 |
- *targname = '\0'; |
40 |
+ *targname = strndup(start, target - start); |
41 |
|
42 |
return target; |
43 |
} |
44 |
@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths) |
45 |
|
46 |
struct pathname *add_path(struct pathname *paths, char *target, char *alltarget) |
47 |
{ |
48 |
- char targname[1024]; |
49 |
+ char *targname; |
50 |
int i, error; |
51 |
|
52 |
TRACE("add_path: adding \"%s\" extract file\n", target); |
53 |
|
54 |
- target = get_component(target, targname); |
55 |
+ target = get_component(target, &targname); |
56 |
|
57 |
if(paths == NULL) { |
58 |
paths = malloc(sizeof(struct pathname)); |
59 |
@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam |
60 |
sizeof(struct path_entry)); |
61 |
if(paths->name == NULL) |
62 |
EXIT_UNSQUASH("Out of memory in add_path\n"); |
63 |
- paths->name[i].name = strdup(targname); |
64 |
+ paths->name[i].name = targname; |
65 |
paths->name[i].paths = NULL; |
66 |
if(use_regex) { |
67 |
paths->name[i].preg = malloc(sizeof(regex_t)); |
68 |
@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam |
69 |
/* |
70 |
* existing matching entry |
71 |
*/ |
72 |
+ free(targname); |
73 |
+ |
74 |
if(paths->name[i].paths == NULL) { |
75 |
/* |
76 |
* No sub-directory which means this is the leaf |