[coreutils/f17] cp: avoid data-corrupting free-memory-read (upstream fix)
Ondrej Vasik
ovasik at fedoraproject.org
Mon Nov 5 13:24:07 UTC 2012
commit f5df66531d2f98413d52f44dcee535f466cacd8d
Author: Ondřej Vašík <ovasik at redhat.com>
Date: Mon Nov 5 14:03:54 2012 +0100
cp: avoid data-corrupting free-memory-read (upstream fix)
coreutils-8.17-cp-freememoryread.patch | 29 +++++++++++++++++++++++++++++
1 files changed, 29 insertions(+), 0 deletions(-)
---
diff --git a/coreutils-8.17-cp-freememoryread.patch b/coreutils-8.17-cp-freememoryread.patch
new file mode 100644
index 0000000..be4a429
--- /dev/null
+++ b/coreutils-8.17-cp-freememoryread.patch
@@ -0,0 +1,29 @@
+diff -urNp coreutils-8.17-orig/src/extent-scan.c coreutils-8.17/src/extent-scan.c
+--- coreutils-8.17-orig/src/extent-scan.c 2012-05-02 10:31:47.000000000 +0200
++++ coreutils-8.17/src/extent-scan.c 2012-11-05 12:05:36.732370966 +0100
+@@ -89,7 +89,7 @@ extern bool
+ extent_scan_read (struct extent_scan *scan)
+ {
+ unsigned int si = 0;
+- struct extent_info *last_ei IF_LINT ( = scan->ext_info);
++ struct extent_info *last_ei = scan->ext_info;
+
+ while (true)
+ {
+@@ -127,8 +127,14 @@ extent_scan_read (struct extent_scan *sc
+
+ assert (scan->ei_count <= SIZE_MAX - fiemap->fm_mapped_extents);
+ scan->ei_count += fiemap->fm_mapped_extents;
+- scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
+- sizeof (struct extent_info));
++ {
++ /* last_ei points into a buffer that may be freed via xnrealloc.
++ Record its offset and adjust after allocation. */
++ size_t prev_idx = last_ei - scan->ext_info;
++ scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
++ sizeof (struct extent_info));
++ last_ei = scan->ext_info + prev_idx;
++ }
+
+ unsigned int i = 0;
+ for (i = 0; i < fiemap->fm_mapped_extents; i++)
More information about the scm-commits
mailing list