summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlei wang wang2015-08-20 22:13:46 -0500
committerMark Salyzyn2015-08-21 09:23:31 -0500
commitc227a1d855cb6ab86d4927c0231cd8d3afbc957d (patch)
tree354f3ad28df9ef67e77de727d8dbbb13c2fbd5c2 /libsparse
parentdcf890914c7571d3068046b9df1f672e9f45b4d2 (diff)
downloadplatform-system-core-c227a1d855cb6ab86d4927c0231cd8d3afbc957d.tar.gz
platform-system-core-c227a1d855cb6ab86d4927c0231cd8d3afbc957d.tar.xz
platform-system-core-c227a1d855cb6ab86d4927c0231cd8d3afbc957d.zip
libsparse: use strcmp and validate last_used pointer
This patch is used to fix two Bugs in backed_block.c First, fix wrong comparing string way: we should use strcmp rather than just compare their address. Second, fix using illegal memory risk in bbl->last_used pointer. When entering queue_bb function, bbl->last_used = new_bb, but in the following code if queue_bb(xx, bb, new_bb) return ok, the space of new_bb is released. So next time, if you use bbl->last_used pointer, may cause segment fault ! Change-Id: I6abb505f9b903b697448639fc64fb7518df5cca1
Diffstat (limited to 'libsparse')
-rw-r--r--libsparse/backed_block.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/libsparse/backed_block.c b/libsparse/backed_block.c
index 3e72b57c7..794cd6b17 100644
--- a/libsparse/backed_block.c
+++ b/libsparse/backed_block.c
@@ -221,7 +221,8 @@ static int merge_bb(struct backed_block_list *bbl,
221 } 221 }
222 break; 222 break;
223 case BACKED_BLOCK_FILE: 223 case BACKED_BLOCK_FILE:
224 if (a->file.filename != b->file.filename || 224 /* Already make sure b->type is BACKED_BLOCK_FILE */
225 if (strcmp(a->file.filename, b->file.filename) ||
225 a->file.offset + a->len != b->file.offset) { 226 a->file.offset + a->len != b->file.offset) {
226 return -EINVAL; 227 return -EINVAL;
227 } 228 }
@@ -279,7 +280,10 @@ static int queue_bb(struct backed_block_list *bbl, struct backed_block *new_bb)
279 } 280 }
280 281
281 merge_bb(bbl, new_bb, new_bb->next); 282 merge_bb(bbl, new_bb, new_bb->next);
282 merge_bb(bbl, bb, new_bb); 283 if (!merge_bb(bbl, bb, new_bb)) {
284 /* new_bb destroyed, point to retained as last_used */
285 bbl->last_used = bb;
286 }
283 287
284 return 0; 288 return 0;
285} 289}