plougher / squashfs-tools

When appending to an existing squashfs image, already existing items are read into the old_root_entry_info array.

Later on, in populate_tree, this entry is processed, and in particular entry->inode->buf.st_mode is accessed:

squashfs-tools/squashfs-tools/mksquashfs.c

Line 4809 in 04d3bc8

if(S_ISDIR(entry->inode->buf.st_mode) && !entry->inode->root_entry) {

However, when entry->inode (of type struct stat) is created for squashfs entries (in add_old_root_entry), buf is left unassigned:

squashfs-tools/squashfs-tools/mksquashfs.c

Lines 5184 to 5190 in 04d3bc8

    
           	old_root_entry[old_root_entries].name = strdup(name); 
        
           	old_root_entry[old_root_entries].inode.inode = inode; 
        
           	old_root_entry[old_root_entries].inode.inode_number = inode_number; 
        
           	old_root_entry[old_root_entries].inode.type = type; 
        
           	old_root_entry[old_root_entries++].inode.root_entry = TRUE; 
        
           }

This leads to undefined behavior per C99, unless I'm missing initialization somewhere else. With a bit of bad luck, this would misidentify the preexisting entries.

The simple solution would be to add something like

 memset(&old_root_entry[old_root_entries].inode.buf, 0,
	sizeof(old_root_entry[old_root_entries].inode.buf));

to add_old_root_entry

if(S_ISDIR(entry->inode->buf.st_mode) && !entry->inode->root_entry) {

With an old root entry the above will always evaluate to FALSE because entry->inode->root_entry == TRUE, and so the lack of initialisation of buf doesn't produce an unexpected result.

But, the code shouldn't be accessing uninitialised memory.


	old_root_entry[old_root_entries].name = strdup(name);
	old_root_entry[old_root_entries].inode.inode = inode;
	old_root_entry[old_root_entries].inode.inode_number = inode_number;
	old_root_entry[old_root_entries].inode.type = type;
	old_root_entry[old_root_entries++].inode.root_entry = TRUE;
	}

Uninitialized struct stat in populate_tree