1 files changed, 82 insertions, 0 deletions

diff --git a/debian/patches/gpg0001-isofs-make-superblock-detection-more-robust.patch b/debian/patches/gpg0001-isofs-make-superblock-detection-more-robust.patch
new file mode 100644
index 00000000..3dc76f37
--- /dev/null
+++ b/debian/patches/gpg0001-isofs-make-superblock-detection-more-robust.patch
@@ -0,0 +1,82 @@
+From 21ee0e79e90c3cf63613bc1a00a609cfaf1777b2 Mon Sep 17 00:00:00 2001
+From: Justus Winter <justus@gnupg.org>
+Date: Sun, 17 Apr 2016 16:36:32 +0200
+Subject: [PATCH hurd 1/6] isofs: make superblock detection more robust
+
+* isofs/isofs.h (disk_image_len): New variable.
+* isofs/main.c (read_sblock): Avoid out of bounds access.
+* isofs/pager.c (disk_image_len): New variable.
+(create_disk_pager): Initialize 'disk_image_len'.
+---
+ isofs/isofs.h | 1 +
+ isofs/main.c  | 9 ++-------
+ isofs/pager.c | 2 ++
+ 3 files changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/isofs/isofs.h b/isofs/isofs.h
+index 3f6690b..2ba013c 100644
+--- a/isofs/isofs.h
++++ b/isofs/isofs.h
+@@ -75,6 +75,7 @@ char *mounted_on;
+ 
+ /* Mapped image of disk */
+ void *disk_image;
++size_t disk_image_len;
+ 
+ /* Processed sblock info */
+ 
+diff --git a/isofs/main.c b/isofs/main.c
+index 95c90fe..c07cf3f 100644
+--- a/isofs/main.c
++++ b/isofs/main.c
+@@ -72,17 +72,13 @@ static void
+ read_sblock ()
+ {
+   struct voldesc *vd;
+-  error_t err;
+   struct sblock * volatile sb = 0;
+ 
+-  err = diskfs_catch_exception ();
+-  if (err)
+-    error (4, err, "reading superblock");
+-
+   /* Start at logical sector 16 and keep going until
+      we find a matching superblock */
+   for (vd = disk_image + (logical_sector_size * 16);
+-       (void *) vd < disk_image + (logical_sector_size * 500); /* for sanity */
++       (void *) vd < disk_image + (logical_sector_size * 500) /* for sanity */
++         && (void *) vd + logical_sector_size < disk_image + disk_image_len;
+        vd = (void *) vd + logical_sector_size)
+     {
+       if (vd->type == VOLDESC_END)
+@@ -105,7 +101,6 @@ read_sblock ()
+   if (!sblock)
+     error (1, errno, "Could not allocate memory for superblock");
+   memcpy (sblock, sb, sizeof (struct sblock));
+-  diskfs_end_catch_exception ();
+ 
+   /* Parse some important bits of this */
+   logical_block_size = isonum_723 (sblock->blksize);
+diff --git a/isofs/pager.c b/isofs/pager.c
+index 35de37e..b4be4e2 100644
+--- a/isofs/pager.c
++++ b/isofs/pager.c
+@@ -28,6 +28,7 @@ struct port_bucket *pager_bucket;
+ 
+ /* Mapped image of the disk */
+ void *disk_image;
++size_t disk_image_len;
+ 
+ 
+ /* Implement the pager_read_page callback from the pager library.  See
+@@ -148,6 +149,7 @@ create_disk_pager (void)
+   upi->np = 0;
+   pager_bucket = ports_create_bucket ();
+   diskfs_start_disk_pager (upi, pager_bucket, 1, 0, store->size, &disk_image);
++  disk_image_len = store->size;
+   upi->p = diskfs_disk_pager;
+ }
+ 
+-- 
+2.1.4
+