rpms / libcdio

Clone
Source Code
GIT

Files

  1.   578e1da917a262b24ee7f6c48e0fc6e776f31161
  2.   SOURCES
  3.   CVE-2017-18198-part4.patch
Blob Blame History Raw 
--- ./libcdio-0.92/lib/iso9660/iso9660_fs.c	2018-06-06 11:52:23.464809984 +0200
+++ ../libcdio-fedora/libcdio-0.94/lib/iso9660/iso9660_fs.c	2018-06-05 18:18:31.235215219 +0200
@@ -714,6 +714,7 @@
   iso711_t i_fname;
   unsigned int stat_len;
   iso9660_stat_t *p_stat;
+  bool err;
 
   if (!dir_len) return NULL;
 
@@ -730,8 +731,16 @@
     }
   p_stat->type    = (p_iso9660_dir->file_flags & ISO_DIRECTORY)
     ? _STAT_DIR : _STAT_FILE;
-  p_stat->lsn     = from_733 (p_iso9660_dir->extent);
-  p_stat->size    = from_733 (p_iso9660_dir->size);
+  p_stat->lsn     = from_733_with_err (p_iso9660_dir->extent, &err);
+  if (err) {
+    free(p_stat);
+    return NULL;
+  }
+  p_stat->size    = from_733_with_err (p_iso9660_dir->size, &err);
+  if (err) {
+    free(p_stat);
+    return NULL;
+  }
   p_stat->secsize = _cdio_len2blocks (p_stat->size, ISO_BLOCKSIZE);
   p_stat->rr.b3_rock = dunno; /*FIXME should do based on mask */
   p_stat->b_xa    = false;
@@ -754,6 +763,7 @@
         if (!p_stat_new)
           {
           cdio_warn("Couldn't calloc(1, %d)", (int)(sizeof(iso9660_stat_t)+i_rr_fname+2));
+	  free(p_stat);
           return NULL;
           }
 	memcpy(p_stat_new, p_stat, stat_len);
@@ -1098,6 +1108,12 @@
       p_stat = _iso9660_dir_to_statbuf (p_iso9660_dir, p_iso->b_xa,
 					p_iso->u_joliet_level);
 
+      if (!p_stat) {
+	cdio_warn("Bad directory information for %s", splitpath[0]);
+	free(_dirbuf);
+	return NULL;
+      }
+
       cmp = strcmp(splitpath[0], p_stat->filename);
 
       if ( 0 != cmp && 0 == p_iso->u_joliet_level
@@ -1283,12 +1299,15 @@
     if (!_dirbuf)
       {
       cdio_warn("Couldn't calloc(1, %d)", p_stat->secsize * ISO_BLOCKSIZE);
+      _cdio_list_free (retval, true);
       return NULL;
       }
 
     if (cdio_read_data_sectors (p_cdio, _dirbuf, p_stat->lsn,
-				ISO_BLOCKSIZE, p_stat->secsize))
-	return NULL;
+				ISO_BLOCKSIZE, p_stat->secsize)) {
+      _cdio_list_free (retval, true);
+      return NULL;
+    }
 
     while (offset < (p_stat->secsize * ISO_BLOCKSIZE))
       {
@@ -1401,14 +1417,14 @@
       }
 
     free (_dirbuf);
+    free(p_stat->rr.psz_symlink);
 
-    if (offset != (p_stat->secsize * ISO_BLOCKSIZE)) {
-      free (p_stat);
+    if (offset != (p_stat->secsize * ISO_BLOCKSIZE)) {
+      free (p_stat);
       _cdio_list_free (retval, true);
       return NULL;
     }
 
-    free (p_stat->rr.psz_symlink);
     free (p_stat);
     return retval;
   }
@@ -1528,6 +1563,16 @@
 }
 
 /*!
+  Free the passed iso9660_stat_t structure.
+ */
+void
+iso9660_stat_free(iso9660_stat_t *p_stat)
+{
+  if (p_stat != NULL)
+    free(p_stat);
+}
+
+/*!
   Return true if ISO 9660 image has extended attrributes (XA).
 */
 bool
@@ -1580,11 +1625,11 @@
       if ( have_rr != yep) {
 	have_rr = iso_have_rr_traverse (p_iso, p_stat, &splitpath[1], pu_file_limit);
       }
+      free(p_stat);
       if (have_rr != nope) {
 	free (_dirbuf);
 	return have_rr;
       }
-      free(p_stat);
 
       offset += iso9660_get_dir_len(p_iso9660_dir);
       *pu_file_limit = (*pu_file_limit)-1;

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation