main/squashfs-tools: security fix for CVE-2015-4645/4646

ref #4416

2 files changed, 37 insertions, 4 deletions

diff --git a/main/squashfs-tools/APKBUILD b/main/squashfs-tools/APKBUILD
index 90e5e9f0d1..366c4eace7 100644
--- a/main/squashfs-tools/APKBUILD
+++ b/main/squashfs-tools/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=squashfs-tools
 pkgver=4.3
-pkgrel=1
+pkgrel=2
 pkgdesc="Tools for squashfs, a highly compressed read-only filesystem for Linux."
 url="http://squashfs.sourceforge.net"
 arch="all"
@@ -11,6 +11,7 @@ makedepends="zlib-dev xz-dev lzo-dev attr-dev"
 source="http://downloads.sourceforge.net/sourceforge/squashfs/squashfs$pkgver.tar.gz
 	fix-compat.patch
 	vla-overlow.patch
+	CVE-2015-4645.patch
 "
 
 _builddir="$srcdir/squashfs$pkgver/$pkgname"
@@ -36,10 +37,13 @@ package() {
 }
 md5sums="d92ab59aabf5173f2a59089531e30dbf  squashfs4.3.tar.gz
 1bb2bed6830d32b76f1ca1b6c0349fcd  fix-compat.patch
-d34cb53db691f0fb58425bb5ab30f6d4  vla-overlow.patch"
+d34cb53db691f0fb58425bb5ab30f6d4  vla-overlow.patch
+c475b848e0c2e2b2eef3ddf2e3c23803  CVE-2015-4645.patch"
 sha256sums="0d605512437b1eb800b4736791559295ee5f60177e102e4d4ccd0ee241a5f3f6  squashfs4.3.tar.gz
 249d10b4df7921fae5e0ab4c1f44f3346229f16851240d61a24e85006ed886e6  fix-compat.patch
-213f3f23576c99099305f717a279507913ab2b8df4dd8f502153e73b2d0a9df5  vla-overlow.patch"
+213f3f23576c99099305f717a279507913ab2b8df4dd8f502153e73b2d0a9df5  vla-overlow.patch
+ff71a62a435a9089b0fc95280aa3a8310b131653d37e55eed10a0f7d0100359b  CVE-2015-4645.patch"
 sha512sums="854ed7acc99920f24ecf11e0da807e5a2a162eeda55db971aba63a03f0da2c13b20ec0564a906c4b0e415bd8258b273a10208c7abc0704f2ceea773aa6148a79  squashfs4.3.tar.gz
 868e3923f98a7f8bb980fe8ab0d648e9ae9a55e324bea3830d6047aa348a4302dcb96d65bf59c6e04665891d822e18fad367a37c6704505b8492f64d749fc140  fix-compat.patch
-975d09d047f4122866e83c4322ce3a15795c051b850d14a85a615c3beef970378e5a620ee16058b9c5104c53f973f9b3804d96c3ba1ab4f622f1e096c04e0360  vla-overlow.patch"
+975d09d047f4122866e83c4322ce3a15795c051b850d14a85a615c3beef970378e5a620ee16058b9c5104c53f973f9b3804d96c3ba1ab4f622f1e096c04e0360  vla-overlow.patch
+77431a0a4a529ce63f1613a65a23af2fb8683a16d14ad1a5cfed3a9fac4df6a1212f081d1879ede188a25b77e860445058012131423c546657fb562069865d2c  CVE-2015-4645.patch"
diff --git a/main/squashfs-tools/CVE-2015-4645.patch b/main/squashfs-tools/CVE-2015-4645.patch
new file mode 100644
index 0000000000..f69025f180
--- /dev/null
+++ b/main/squashfs-tools/CVE-2015-4645.patch
@@ -0,0 +1,29 @@
+diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
+index ecdaac796f09..2c0cf63daf67 100644
+--- a/squashfs-tools/unsquash-4.c
++++ b/squashfs-tools/unsquash-4.c
+@@ -31,9 +31,9 @@ static unsigned int *id_table;
+ int read_fragment_table_4(long long *directory_table_end)
+ {
+ 	int res, i;
+-	int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
+-	int  indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
+-	long long fragment_table_index[indexes];
++	size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
++	size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
++	long long *fragment_table_index;
+ 
+ 	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
+ 		"from 0x%llx\n", sBlk.s.fragments, indexes,
+@@ -44,6 +44,11 @@ int read_fragment_table_4(long long *directory_table_end)
+ 		return TRUE;
+ 	}
+ 
++	fragment_table_index = malloc(indexes*sizeof(long long));
++	if(fragment_table_index == NULL)
++		EXIT_UNSQUASH("read_fragment_table: failed to allocate "
++			"fragment table index\n");
++
+ 	fragment_table = malloc(bytes);
+ 	if(fragment_table == NULL)
+ 		EXIT_UNSQUASH("read_fragment_table: failed to allocate "