mirror of
https://github.com/openwrt/openwrt.git
synced 2026-07-19 22:51:49 +04:00
7e7bd602ea
When growing the segment array in find_entry(), the memset() that zeroes the newly allocated slots computed the destination with redundant sizeof scaling: memset(segments + (num_segments * sizeof(struct tffs_entry_segment)), ...) segments is a typed pointer, so pointer arithmetic already scales by the element size. Multiplying the offset by sizeof again advances the destination by num_segments * sizeof^2 bytes, landing far outside the realloc()'d buffer and zeroing unrelated heap memory whenever a TFFS entry spans multiple segments that require array expansion. Drop the redundant multiplication so the memset targets segments[num_segments]. This is a robustness fix for malformed/corrupt TFFS content; the parser only reads the on-device nand-tffs MTD partition as root, so it is not considered security relevant. Reported-by: @Vasco0x4 Assisted-by: Claude:claude-opus-4-8 Link: https://github.com/openwrt/openwrt/pull/23763 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>