main/squashfs-tools: security fix for CVE-2015-4645/4646

ref #4416
fixes #4417

(cherry picked from commit 10422f18285619f8f57b8b4ab5ca829eb21c115f)

Conflicts:
	main/squashfs-tools/APKBUILD

2 files changed, 34 insertions, 4 deletions

diff --git a/main/squashfs-tools/APKBUILD b/main/squashfs-tools/APKBUILD
index caad116f8a..bd6933ecb5 100644
--- a/main/squashfs-tools/APKBUILD
+++ b/main/squashfs-tools/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squashfs-tools
 pkgver=4.2
-pkgrel=3
+pkgrel=4
 pkgdesc="Tools for squashfs, a highly compressed read-only filesystem for Linux."
 url="http://squashfs.sourceforge.net"
 arch="all"
@@ -11,6 +11,7 @@ makedepends="zlib-dev xz-dev lzo-dev attr-dev"
 source="http://downloads.sourceforge.net/sourceforge/squashfs/squashfs$pkgver.tar.gz
 	fix-compat.patch
 	vla-overlow.patch
+	CVE-2015-4645.patch
 "
 
 _builddir="$srcdir/squashfs$pkgver/$pkgname"
@@ -36,10 +37,13 @@ package() {
 }
 md5sums="1b7a781fb4cf8938842279bd3e8ee852  squashfs4.2.tar.gz
 da3de5c99f6ef34f83a88a066447eac0  fix-compat.patch
-d34cb53db691f0fb58425bb5ab30f6d4  vla-overlow.patch"
+d34cb53db691f0fb58425bb5ab30f6d4  vla-overlow.patch
+4e3ccd009caa313fac1fd8d795c70bb7  CVE-2015-4645.patch"
 sha256sums="d9e0195aa922dbb665ed322b9aaa96e04a476ee650f39bbeadb0d00b24022e96  squashfs4.2.tar.gz
 1b10b07691253a97dba93d6a80220b59d2a4be21e306e3ea91265690570a4ed2  fix-compat.patch
-213f3f23576c99099305f717a279507913ab2b8df4dd8f502153e73b2d0a9df5  vla-overlow.patch"
+213f3f23576c99099305f717a279507913ab2b8df4dd8f502153e73b2d0a9df5  vla-overlow.patch
+5754b29fa1864e77201318f7213cf144dc1e8beb1f66320733f264d3ab34a447  CVE-2015-4645.patch"
 sha512sums="4b69c5d3008803347d0ce7628957e3873c9ebd799662b25dfb739afb6a1ce97bdd02b0465ac4d949bc38af2155880ac068209dc638b94e5c86a8011ec3a00de0  squashfs4.2.tar.gz
 9532d29e06a691c0628cff21bb4a361d5e6f888adbeef150f52ab65f20678e3ada0a60489d73eba6f0ca8b3eab4c18baf87c6d24c23da0cf81afacf940d1eb91  fix-compat.patch
-975d09d047f4122866e83c4322ce3a15795c051b850d14a85a615c3beef970378e5a620ee16058b9c5104c53f973f9b3804d96c3ba1ab4f622f1e096c04e0360  vla-overlow.patch"
+975d09d047f4122866e83c4322ce3a15795c051b850d14a85a615c3beef970378e5a620ee16058b9c5104c53f973f9b3804d96c3ba1ab4f622f1e096c04e0360  vla-overlow.patch
+09b697b76af01f8c06fa4e90c6cca277817eb4ae1387071eca0aaff95f948b3390eeca88af5777f139dd6548db10a671d7202acb8e579e4c3930bb9ac03f4fdc  CVE-2015-4645.patch"
diff --git a/main/squashfs-tools/CVE-2015-4645.patch b/main/squashfs-tools/CVE-2015-4645.patch
new file mode 100644
index 0000000000..34d208baae
--- /dev/null
+++ b/main/squashfs-tools/CVE-2015-4645.patch
@@ -0,0 +1,26 @@
+--- ./squashfs-tools/unsquash-4.c.orig
++++ ./squashfs-tools/unsquash-4.c
+@@ -31,8 +31,9 @@
+ 
+ int read_fragment_table_4()
+ {
+-	int res, i, indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
+-	long long fragment_table_index[indexes];
++	int res, i;
++	size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
++	long long *fragment_table_index;
+ 
+ 	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
+ 		"from 0x%llx\n", sBlk.s.fragments, indexes,
+@@ -40,6 +41,11 @@
+ 
+ 	if(sBlk.s.fragments == 0)
+ 		return TRUE;
++
++	fragment_table_index = malloc(indexes*sizeof(long long));
++	if(fragment_table_index == NULL)
++		EXIT_UNSQUASH("read_fragment_table: failed to allocate "
++			"fragment table index\n");
+ 
+ 	fragment_table = malloc(sBlk.s.fragments *
+ 		sizeof(struct squashfs_fragment_entry));