From 0f4eecc000f66d114ad258fa31aed66afa292166 Mon Sep 17 00:00:00 2001
From: AJ Bagwell <anthony.bagwell@hivehome.com>
Date: Mon, 11 Nov 2019 10:32:22 +0000
Subject: dosfstools: fix out of bound writes

Fix write issues where sprintf writes across both name and ext fields
and drops the final null ternimator outside the struct

Signed-off-by: AJ Bagwell <anthony.bagwell@hivehome.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 .../dosfstools/fixing-out-of-bound-writes.patch    | 54 ++++++++++++++++++++++
 recipes-devtools/dosfstools/dosfstools_2.11.bb     |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch

diff --git a/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch b/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch
new file mode 100644
index 0000000..f80f5ab
--- /dev/null
+++ b/recipes-devtools/dosfstools/dosfstools/fixing-out-of-bound-writes.patch
@@ -0,0 +1,54 @@
+Fix out of bound write issues where sprintf writes across both
+name and ext fields and drops the final null ternimator outside the struct
+
+Upstream-Status: Inappropriate [licensing]
+We're tracking an old release of dosfstools due to licensing issues.
+
+diff --git a/dosfsck/check.c b/dosfsck/check.c
+index e8c13bb..91177d3 100644
+--- a/dosfsck/check.c
++++ b/dosfsck/check.c
+@@ -58,6 +58,13 @@ static DOS_FILE *root;
+     }									\
+   } while(0)
+ 
++static void de_printf(DIR_ENT *de, const char *pattern, int curr_num)
++{
++    char buffer[12];
++    sprintf(buffer, pattern, curr_num);
++    memcpy(de->name, buffer, 8);
++    memcpy(de->ext, buffer + 8, 3);
++}
+ 
+ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ {
+@@ -110,7 +117,8 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ 	}
+ 	memset(de,0,sizeof(DIR_ENT));
+ 	while (1) {
+-	    sprintf(de->name,pattern,curr_num);
++	    de_printf(de, pattern, curr_num);
++
+ 	    clu_num = fs->root_cluster;
+ 	    i = 0;
+ 	    offset2 = cluster_start(fs,clu_num);
+@@ -150,7 +158,7 @@ loff_t alloc_rootdir_entry(DOS_FS *fs, DIR_ENT *de, const char *pattern)
+ 	offset = fs->root_start+next_free*sizeof(DIR_ENT);
+ 	memset(de,0,sizeof(DIR_ENT));
+ 	while (1) {
+-	    sprintf(de->name,pattern,curr_num);
++	    de_printf(de, pattern, curr_num);
+ 	    for (scan = 0; scan < fs->root_entries; scan++)
+ 		if (scan != next_free &&
+ 		    !strncmp(root[scan].name,de->name,MSDOS_NAME))
+@@ -311,8 +319,8 @@ static void auto_rename(DOS_FILE *file)
+     first = file->parent ? file->parent->first : root;
+     number = 0;
+     while (1) {
+-	sprintf(file->dir_ent.name,"FSCK%04d",number);
+-	strncpy(file->dir_ent.ext,"REN",3);
++	de_printf(&file->dir_ent, "FSCK%04dREN", number);
++
+ 	for (walk = first; walk; walk = walk->next)
+ 	    if (walk != file && !strncmp(walk->dir_ent.name,file->dir_ent.
+ 	      name,MSDOS_NAME)) break;
diff --git a/recipes-devtools/dosfstools/dosfstools_2.11.bb b/recipes-devtools/dosfstools/dosfstools_2.11.bb
index dd543b1..37c2181 100644
--- a/recipes-devtools/dosfstools/dosfstools_2.11.bb
+++ b/recipes-devtools/dosfstools/dosfstools_2.11.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://pkgs.fedoraproject.org/repo/pkgs/${BPN}/${BP}.src.tar.gz/407d4
            file://nofat32_autoselect.patch \
            file://fix_populated_dosfs_creation.patch \
            file://0001-Include-fcntl.h-for-getting-loff_t-definition.patch \
+	   file://fixing-out-of-bound-writes.patch \
 "
 
 SRC_URI[md5sum] = "407d405ade410f7597d364ab5dc8c9f6"
-- 
cgit v1.2.3-54-g00ecf