--- /dev/null
+From d05276dc1d6de119da518d62930b9a8ef55ef7e9 Mon Sep 17 00:00:00 2001
+From: Yousong Zhou <yszhou4tech@gmail.com>
+Date: Fri, 25 Oct 2019 10:48:47 +0000
+Subject: [PATCH] libblkid-tiny: ntfs: fix use-after-free
+
+The memory pointed to by ns can be reallocated when checking mft records
+
+Fixes FS#2129
+
+Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
+---
+ libblkid-tiny/ntfs.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/libblkid-tiny/ntfs.c
++++ b/libblkid-tiny/ntfs.c
+@@ -88,6 +88,7 @@ static int probe_ntfs(blkid_probe pr, co
+
+ uint32_t sectors_per_cluster, mft_record_size;
+ uint16_t sector_size;
++ uint64_t volume_serial;
+ uint64_t nr_clusters, off; //, attr_off;
+ unsigned char *buf_mft;
+
+@@ -148,15 +149,16 @@ static int probe_ntfs(blkid_probe pr, co
+ return 1;
+
+
++ volume_serial = ns->volume_serial;
+ off = le64_to_cpu(ns->mft_cluster_location) * sector_size *
+ sectors_per_cluster;
+
+ DBG(LOWPROBE, ul_debug("NTFS: sector_size=%"PRIu16", mft_record_size=%"PRIu32", "
+ "sectors_per_cluster=%"PRIu32", nr_clusters=%"PRIu64" "
+- "cluster_offset=%"PRIu64"",
++ "cluster_offset=%"PRIu64", volume_serial=%"PRIu64"",
+ sector_size, mft_record_size,
+ sectors_per_cluster, nr_clusters,
+- off));
++ off, volume_serial));
+
+ buf_mft = blkid_probe_get_buffer(pr, off, mft_record_size);
+ if (!buf_mft)
+@@ -207,9 +209,9 @@ static int probe_ntfs(blkid_probe pr, co
+ #endif
+
+ blkid_probe_sprintf_uuid(pr,
+- (unsigned char *) &ns->volume_serial,
+- sizeof(ns->volume_serial),
+- "%016" PRIX64, le64_to_cpu(ns->volume_serial));
++ (unsigned char *) &volume_serial,
++ sizeof(volume_serial),
++ "%016" PRIX64, le64_to_cpu(volume_serial));
+ return 0;
+ }
+
projects / openwrt / staging / chunkeey.git / commitdiff