From e6c869ab1753986b032463f2e0bd5fad7bc70e0f Mon Sep 17 00:00:00 2001 From: David Oberhollenzer Date: Tue, 23 Jul 2019 08:34:11 +0200 Subject: Fix tree node scanning - Bail early on empty directories without touching the meta readers. - Aport the directory read loop if we can't even read a header anymore, no matter if there are bytes remaining. - Also add that same condition to the inner loop. The later two actually caused a numeric overflow on some particularly malformed squashfs images, going into a RAM filling infinite loop. Signed-off-by: David Oberhollenzer --- lib/sqfs/deserialize_fstree.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'lib') diff --git a/lib/sqfs/deserialize_fstree.c b/lib/sqfs/deserialize_fstree.c index e90e1c1..bc1d6e4 100644 --- a/lib/sqfs/deserialize_fstree.c +++ b/lib/sqfs/deserialize_fstree.c @@ -38,27 +38,31 @@ static int fill_dir(meta_reader_t *ir, meta_reader_t *dr, tree_node_t *root, size_t size, diff; uint32_t i; + size = root->data.dir->size; + if (size <= sizeof(hdr)) + return 0; + block_start = root->data.dir->start_block; block_start += super->directory_table_start; if (meta_reader_seek(dr, block_start, root->data.dir->block_offset)) return -1; - size = root->data.dir->size; - - while (size != 0) { + while (size > sizeof(hdr)) { if (meta_reader_read_dir_header(dr, &hdr)) return -1; - size -= sizeof(hdr) > size ? size : sizeof(hdr); + size -= sizeof(hdr); - for (i = 0; i <= hdr.count; ++i) { + for (i = 0; i <= hdr.count && size > sizeof(*ent); ++i) { ent = meta_reader_read_dir_ent(dr); if (ent == NULL) return -1; diff = sizeof(*ent) + strlen((char *)ent->name); - size -= diff > size ? size : diff; + if (diff > size) + break; + size -= diff; if (should_skip(ent->type, flags)) { free(ent); -- cgit v1.2.3