nigels-com
commented
5 years ago If I follow the reasoning the block list is variable length and the fix is to take the rest of the buffer rather than just the first uint32_t ?
Closed darktemplarbasealt closed 5 years ago
nigels-com
commented
5 years ago If I follow the reasoning the block list is variable length and the fix is to take the rest of the buffer rather than just the first uint32_t ?
darktemplarbasealt
commented
5 years ago Few lines earlier, in function reg_header block_list is defined similar way. I've changed it here to make it same and not sure if it's actually used anywhere.
The issue is that the self.block_list,offset = self.autoMakeBufInteger(buff,offset,4) line increments offset by 4 bytes, and the modified offset is returned. After that on line 849 incorrect offset is saved to block_ptr variable, and later it's used in function read_block_list and invalid blocks list is returned. For example, instead of block list [ value1, value2, value3 ] I'm receiving block list [ value2, value3, invalid_value ]. After that, since block is compressed, decompressor raises exception about invalid data block.
The issue was discovered when processing altinst squashfs file inside following iso (iso file is almost 7Gb in size, but squashfs altinst is only 370Mb):
When using this python module decompression errors were encountered, while squashfs-tools handled that file without any issues. First file I'm getting this issue for is squashfs-root/usr/lib/locale/C.utf8/LC_CTYPE from mentioned altinst squashfs from linked iso.
nigels-com
commented
5 years ago Indeed confirming this fixes our problem too.
Much appreciated!
When processing SQUASHFS_LREG_TYPE entries, excessive read of 4 bytes is made, which leads to detecting incorrect block offsets