diff options
Diffstat (limited to 'meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch')
-rw-r--r-- | meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch | 72 |
1 files changed, 0 insertions, 72 deletions
diff --git a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch b/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch deleted file mode 100644 index 8b9904fd56..0000000000 --- a/meta/recipes-devtools/squashfs-tools/squashfs-tools/squashfs-4.2-fix-CVE-2012-4024.patch +++ /dev/null @@ -1,72 +0,0 @@ -Upstream-Status: Backport - -Reference:http://squashfs.git.sourceforge.net/git/gitweb.cgi?p= -squashfs/squashfs;a=commit;h=19c38fba0be1ce949ab44310d7f49887576cc123 - -Fix potential stack overflow in get_component() where an individual -pathname component in an extract file (specified on the command line -or in an extract file) could exceed the 1024 byte sized targname -allocated on the stack. - -Fix by dynamically allocating targname rather than storing it as -a fixed size on the stack. - -Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> -diff -urpN a/unsquashfs.c b/unsquashfs.c ---- a/unsquashfs.c 2012-11-29 17:04:08.000000000 +0800 -+++ b/unsquashfs.c 2012-11-29 17:04:25.000000000 +0800 -@@ -1034,15 +1034,18 @@ void squashfs_closedir(struct dir *dir) - } - - --char *get_component(char *target, char *targname) -+char *get_component(char *target, char **targname) - { -+ char *start; -+ - while(*target == '/') - target ++; - -+ start = target; - while(*target != '/' && *target!= '\0') -- *targname ++ = *target ++; -+ target ++; - -- *targname = '\0'; -+ *targname = strndup(start, target - start); - - return target; - } -@@ -1068,12 +1071,12 @@ void free_path(struct pathname *paths) - - struct pathname *add_path(struct pathname *paths, char *target, char *alltarget) - { -- char targname[1024]; -+ char *targname; - int i, error; - - TRACE("add_path: adding \"%s\" extract file\n", target); - -- target = get_component(target, targname); -+ target = get_component(target, &targname); - - if(paths == NULL) { - paths = malloc(sizeof(struct pathname)); -@@ -1097,7 +1100,7 @@ struct pathname *add_path(struct pathnam - sizeof(struct path_entry)); - if(paths->name == NULL) - EXIT_UNSQUASH("Out of memory in add_path\n"); -- paths->name[i].name = strdup(targname); -+ paths->name[i].name = targname; - paths->name[i].paths = NULL; - if(use_regex) { - paths->name[i].preg = malloc(sizeof(regex_t)); -@@ -1130,6 +1133,8 @@ struct pathname *add_path(struct pathnam - /* - * existing matching entry - */ -+ free(targname); -+ - if(paths->name[i].paths == NULL) { - /* - * No sub-directory which means this is the leaf |