From 888a4f073b4222727c3bceb529ca9e35533f6467 Mon Sep 17 00:00:00 2001
From: "Andrew V. Samoilov" <sav@bcs.zp.ua>
Date: Thu, 25 Oct 2001 14:24:29 +0000
Subject: [PATCH] * cpio.c (cpio_read_crc_head): Fix buffer overflow.
 (cpio_read_oldc_head): Likewise. By drk@sgi.com.
 http://bugzilla.gnome.org/show_bug.cgi?id=60933

* (cpio_read_oldc_head): Release name if mc_read fails.
---
 vfs/ChangeLog | 8 ++++++++
 vfs/cpio.c    | 9 +++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/vfs/ChangeLog b/vfs/ChangeLog
index ec7d6459d..e966d79d6 100644
--- a/vfs/ChangeLog
+++ b/vfs/ChangeLog
@@ -1,3 +1,11 @@
+2001-10-25  Andrew V. Samoilov  <kai@cmail.ru>
+
+	* cpio.c (cpio_read_crc_head): Fix buffer overflow.
+	(cpio_read_oldc_head): Likewise. By drk@sgi.com.
+	http://bugzilla.gnome.org/show_bug.cgi?id=60933
+
+	* (cpio_read_oldc_head): Release name if mc_read fails.
+
 2001-10-24  Andrew V. Samoilov  <kai@cmail.ru>
 
 	* tcputil.c (rpc_get): Add missing va_end()s.
diff --git a/vfs/cpio.c b/vfs/cpio.c
index 0d8da8b1f..d72283eba 100644
--- a/vfs/cpio.c
+++ b/vfs/cpio.c
@@ -300,7 +300,7 @@ static int cpio_read_oldc_head(vfs *me, vfs_s_super *super)
     if((len = mc_read(super->u.cpio.fd, (void *)buf, HEAD_LENGTH)) < HEAD_LENGTH)
 	return STATUS_EOF;
     CPIO_POS(super) += len;
-    buf[HEAD_LENGTH + 1] = 0;
+    buf[HEAD_LENGTH] = 0;
 
     if(sscanf((void *)buf, "070707%6lo%6lo%6lo%6lo%6lo%6lo%6lo%11lo%6lo%11lo",
 	      &hd.c_dev, &hd.c_ino, &hd.c_mode, &hd.c_uid, &hd.c_gid,
@@ -311,9 +311,10 @@ static int cpio_read_oldc_head(vfs *me, vfs_s_super *super)
     }
 
     name = g_malloc(hd.c_namesize);
-    if((len = mc_read(super->u.cpio.fd, name, hd.c_namesize)) < hd.c_namesize)
+    if((len = mc_read(super->u.cpio.fd, name, hd.c_namesize)) < hd.c_namesize) {
+	g_free (name);
 	return STATUS_EOF;
-
+    }
     CPIO_POS(super) +=  len;
     cpio_skip_padding(super);
 
@@ -348,7 +349,7 @@ static int cpio_read_crc_head(vfs *me, vfs_s_super *super)
     if((len = mc_read(super->u.cpio.fd, buf, HEAD_LENGTH)) < HEAD_LENGTH)
 	return STATUS_EOF;
     CPIO_POS(super) += len;
-    buf[HEAD_LENGTH + 1] = 0;
+    buf[HEAD_LENGTH] = 0;
 
     if(sscanf(buf, "%6ho%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx",
 	      &hd.c_magic, &hd.c_ino, &hd.c_mode, &hd.c_uid, &hd.c_gid,