173 lines
5.3 KiB
Diff
173 lines
5.3 KiB
Diff
From 59c36ebe29fddd832c7afecc26dc5fe3e61faf1f Mon Sep 17 00:00:00 2001
|
|
From: jmoellers <josef.moellers@suse.com>
|
|
Date: Fri, 7 Sep 2018 13:55:35 +0200
|
|
Subject: [PATCH 1/3] One more free() to avoid memory leak.
|
|
|
|
---
|
|
zzip/zip.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git zzip/zip.c zzip/zip.c
|
|
index 14e2e06..a28456f 100644
|
|
--- zzip/zip.c
|
|
+++ zzip/zip.c
|
|
@@ -575,6 +575,8 @@ __zzip_parse_root_directory(int fd,
|
|
if (hdr_return)
|
|
*hdr_return = hdr0;
|
|
} /* else zero (sane) entries */
|
|
+ else
|
|
+ free(hdr0);
|
|
# ifndef ZZIP_ALLOW_MODULO_ENTRIES
|
|
return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
|
|
# else
|
|
--
|
|
2.20.1
|
|
|
|
|
|
From 490d6e72031790da0a4d229d13f7d5a389789977 Mon Sep 17 00:00:00 2001
|
|
From: jmoellers <josef.moellers@suse.com>
|
|
Date: Fri, 7 Sep 2018 11:49:28 +0200
|
|
Subject: [PATCH 2/3] Avoid memory leak from __zzip_parse_root_directory().
|
|
|
|
---
|
|
zzip/zip.c | 28 ++++++++++++++++++++--------
|
|
1 file changed, 20 insertions(+), 8 deletions(-)
|
|
|
|
diff --git zzip/zip.c zzip/zip.c
|
|
index a28456f..51a1a4d 100644
|
|
--- zzip/zip.c
|
|
+++ zzip/zip.c
|
|
@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
|
|
int __zzip_parse_root_directory(int fd,
|
|
struct _disk_trailer *trailer,
|
|
struct zzip_dir_hdr **hdr_return,
|
|
- zzip_plugin_io_t io);
|
|
+ zzip_plugin_io_t io,
|
|
+ zzip_off_t filesize);
|
|
|
|
_zzip_inline static char *__zzip_aligned4(char *p);
|
|
|
|
@@ -406,7 +407,8 @@ int
|
|
__zzip_parse_root_directory(int fd,
|
|
struct _disk_trailer *trailer,
|
|
struct zzip_dir_hdr **hdr_return,
|
|
- zzip_plugin_io_t io)
|
|
+ zzip_plugin_io_t io,
|
|
+ zzip_off_t filesize)
|
|
{
|
|
auto struct zzip_disk_entry dirent;
|
|
struct zzip_dir_hdr *hdr;
|
|
@@ -421,7 +423,8 @@ __zzip_parse_root_directory(int fd,
|
|
zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
|
|
__correct_rootseek(zz_rootseek, zz_rootsize, trailer);
|
|
|
|
- if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
|
|
+ if (zz_entries <= 0 || zz_rootsize < 0 ||
|
|
+ zz_rootseek < 0 || zz_rootseek >= filesize)
|
|
return ZZIP_CORRUPTED;
|
|
|
|
hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize);
|
|
@@ -472,9 +475,15 @@ __zzip_parse_root_directory(int fd,
|
|
} else
|
|
{
|
|
if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
|
|
+ {
|
|
+ free(hdr0);
|
|
return ZZIP_DIR_SEEK;
|
|
+ }
|
|
if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
|
|
+ {
|
|
+ free(hdr0);
|
|
return ZZIP_DIR_READ;
|
|
+ }
|
|
d = &dirent;
|
|
}
|
|
|
|
@@ -574,13 +583,16 @@ __zzip_parse_root_directory(int fd,
|
|
|
|
if (hdr_return)
|
|
*hdr_return = hdr0;
|
|
+ else
|
|
+ {
|
|
+ /* If it is not assigned to *hdr_return, it will never be free()'d */
|
|
+ free(hdr0);
|
|
+ }
|
|
} /* else zero (sane) entries */
|
|
- else
|
|
- free(hdr0);
|
|
# ifndef ZZIP_ALLOW_MODULO_ENTRIES
|
|
- return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
|
|
+ return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
|
|
# else
|
|
- return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
|
|
+ return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
|
|
# endif
|
|
}
|
|
|
|
@@ -757,7 +769,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)
|
|
(long) _disk_trailer_rootseek(&trailer));
|
|
|
|
if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,
|
|
- dir->io)) != 0)
|
|
+ dir->io, filesize)) != 0)
|
|
{ goto error; }
|
|
error:
|
|
return rv;
|
|
--
|
|
2.20.1
|
|
|
|
|
|
From aab49d23bc28d13183cb62e71b884e24595cbe65 Mon Sep 17 00:00:00 2001
|
|
From: jmoellers <josef.moellers@suse.com>
|
|
Date: Fri, 7 Sep 2018 11:32:04 +0200
|
|
Subject: [PATCH 3/3] Avoid memory leak from __zzip_parse_root_directory().
|
|
|
|
---
|
|
zzip/zip.c | 25 +++++++++++++++++++++++--
|
|
1 file changed, 23 insertions(+), 2 deletions(-)
|
|
|
|
diff --git zzip/zip.c zzip/zip.c
|
|
index 51a1a4d..a685280 100644
|
|
--- zzip/zip.c
|
|
+++ zzip/zip.c
|
|
@@ -587,13 +587,34 @@ __zzip_parse_root_directory(int fd,
|
|
{
|
|
/* If it is not assigned to *hdr_return, it will never be free()'d */
|
|
free(hdr0);
|
|
+ /* Make sure we don't free it again in case of error */
|
|
+ hdr0 = NULL;
|
|
}
|
|
} /* else zero (sane) entries */
|
|
# ifndef ZZIP_ALLOW_MODULO_ENTRIES
|
|
- return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
|
|
+ if (entries != zz_entries)
|
|
+ {
|
|
+ /* If it was assigned to *hdr_return, undo assignment */
|
|
+ if (p_reclen && hdr_return)
|
|
+ *hdr_return = NULL;
|
|
+ /* Free it, if it was not already free()'d */
|
|
+ if (hdr0 != NULL)
|
|
+ free(hdr0);
|
|
+ return ZZIP_CORRUPTED;
|
|
+ }
|
|
# else
|
|
- return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
|
|
+ if (((entries & (unsigned)0xFFFF) != zz_entries)
|
|
+ {
|
|
+ /* If it was assigned to *hdr_return, undo assignment */
|
|
+ if (p_reclen && hdr_return)
|
|
+ *hdr_return = NULL;
|
|
+ /* Free it, if it was not already free()'d */
|
|
+ if (hdr0 != NULL)
|
|
+ free(hdr0);
|
|
+ return ZZIP_CORRUPTED;
|
|
+ }
|
|
# endif
|
|
+ return 0;
|
|
}
|
|
|
|
/* ------------------------- high-level interface ------------------------- */
|
|
--
|
|
2.20.1
|
|
|