From 3c0d67184d6edb63f3b7d6d5eb81531daa6388f3 Mon Sep 17 00:00:00 2001
From: Changqing Li <changqing.li@windriver.com>
Date: Tue, 28 Aug 2018 16:25:36 +0800
Subject: [PATCH] squashfs-tools: patch for CVE-2015-4645(6)

Upstream-Status: Backport[https://github.com/devttys0/sasquatch/pull/
                 5/commits/6777e08cc38bc780d27c69c1d8c272867b74524f]

CVE: CVE-2015-4645 CVE-2015-4646

Signed-off-by: Changqing Li <changqing.li@windriver.com>
---
 squashfs-tools/unsquash-4.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/squashfs-tools/unsquash-4.c b/squashfs-tools/unsquash-4.c
index ecdaac7..692ae25 100644
--- a/squashfs-tools/unsquash-4.c
+++ b/squashfs-tools/unsquash-4.c
@@ -31,9 +31,9 @@ static unsigned int *id_table;
 int read_fragment_table_4(long long *directory_table_end)
 {
 	int res, i;
-	int bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
-	int  indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
-	long long fragment_table_index[indexes];
+	size_t bytes = SQUASHFS_FRAGMENT_BYTES(sBlk.s.fragments);
+	size_t indexes = SQUASHFS_FRAGMENT_INDEXES(sBlk.s.fragments);
+	long long *fragment_table_index;
 
 	TRACE("read_fragment_table: %d fragments, reading %d fragment indexes "
 		"from 0x%llx\n", sBlk.s.fragments, indexes,
@@ -43,6 +43,11 @@ int read_fragment_table_4(long long *directory_table_end)
 		*directory_table_end = sBlk.s.fragment_table_start;
 		return TRUE;
 	}
+        
+	fragment_table_index = malloc(indexes*sizeof(long long));
+	if(fragment_table_index == NULL)
+		EXIT_UNSQUASH("read_fragment_table: failed to allocate "
+			"fragment table index\n");
 
 	fragment_table = malloc(bytes);
 	if(fragment_table == NULL)
-- 
2.7.4