From c227a1d855cb6ab86d4927c0231cd8d3afbc957d Mon Sep 17 00:00:00 2001 From: lei wang wang Date: Fri, 21 Aug 2015 11:13:46 +0800 Subject: [PATCH] libsparse: use strcmp and validate last_used pointer This patch is used to fix two Bugs in backed_block.c First, fix wrong comparing string way: we should use strcmp rather than just compare their address. Second, fix using illegal memory risk in bbl->last_used pointer. When entering queue_bb function, bbl->last_used = new_bb, but in the following code if queue_bb(xx, bb, new_bb) return ok, the space of new_bb is released. So next time, if you use bbl->last_used pointer, may cause segment fault ! Change-Id: I6abb505f9b903b697448639fc64fb7518df5cca1 --- libsparse/backed_block.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/libsparse/backed_block.c b/libsparse/backed_block.c index 3e72b57c7..794cd6b17 100644 --- a/libsparse/backed_block.c +++ b/libsparse/backed_block.c @@ -221,7 +221,8 @@ static int merge_bb(struct backed_block_list *bbl, } break; case BACKED_BLOCK_FILE: - if (a->file.filename != b->file.filename || + /* Already make sure b->type is BACKED_BLOCK_FILE */ + if (strcmp(a->file.filename, b->file.filename) || a->file.offset + a->len != b->file.offset) { return -EINVAL; } @@ -279,7 +280,10 @@ static int queue_bb(struct backed_block_list *bbl, struct backed_block *new_bb) } merge_bb(bbl, new_bb, new_bb->next); - merge_bb(bbl, bb, new_bb); + if (!merge_bb(bbl, bb, new_bb)) { + /* new_bb destroyed, point to retained as last_used */ + bbl->last_used = bb; + } return 0; }