squashfs: Fix heap corruption in sqfs_search_dir()

res needs to be large enough to store both strings rem and target, plus the path separator and the terminator. Currently the space for the path separator is not accounted, so the heap is corrupted by one byte. Signed-off-by: Richard Weinberger <[email protected]> Reviewed-by: Miquel Raynal <[email protected]>
author: Richard Weinberger <[email protected]> 2024-08-02 22:05:09 +0200
committer: Tom Rini <[email protected]> 2024-08-15 16:14:36 -0600
commit: 048d795bb5b3d9c5701b4855f5e74bcf6849bf5e (patch)
tree: 07355b0c153b3c8ad4a75327a71383609690c36e
parent: 4f5cc096bfd0a591f8a11e86999e3d90a9484c34 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index af7ff80a7bd..b9314019b1b 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -567,8 +567,11 @@ static int sqfs_search_dir(struct squashfs_dir_stream *dirs, char **token_list,
 				ret = -ENOMEM;
 				goto out;
 			}
-			/* Concatenate remaining tokens and symlink's target */
-			res = malloc(strlen(rem) + strlen(target) + 1);
+			/*
+			 * Concatenate remaining tokens and symlink's target.
+			 * Allocate enough space for rem, target, '/' and '\0'.
+			 */
+			res = malloc(strlen(rem) + strlen(target) + 2);
 			if (!res) {
 				ret = -ENOMEM;
 				goto out;
author	Richard Weinberger <[email protected]>	2024-08-02 22:05:09 +0200
committer	Tom Rini <[email protected]>	2024-08-15 16:14:36 -0600
commit	048d795bb5b3d9c5701b4855f5e74bcf6849bf5e (patch)
tree	07355b0c153b3c8ad4a75327a71383609690c36e
parent	4f5cc096bfd0a591f8a11e86999e3d90a9484c34 (diff)