Package: squashfs-tools-ng Version: 1.1.4-1 Severity: minor In mknode.c:fstree_mknode, if the parent directory link count is too large, the tree_node_t that was just calloc'ed is free'd before returning. However, it has already been linked to the parent's children list. This causes a double free of that pointer when the parent is subsequently free'd. Also, all of the other children may not be free'd and/or free may be called with invalid pointers, depending on whether the just-freed memory gets reallocated and used before exit.
This is only a minor bug, because gensquashfs is about to exit with an error, but it clutters stderr with irrelevant messages. I didn't follow the error return path to be sure, but I think if the call to free(n) just before errno = EMLINK is removed, everything will get properly freed farther up the call stack. ...Marvin -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'oldstable-updates'), (500, 'stable'), (500, 'oldstable'), (200, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.17.0-1-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) LSM: AppArmor: enabled Versions of packages squashfs-tools-ng depends on: ii libc6 2.33-7 ii liblzma5 5.2.5-2.1 ii liblzo2-2 2.10-2 ii libselinux1 3.3-1+b2 ii libsquashfs1 1.1.4-1 ii libzstd1 1.5.2+dfsg-1 ii zlib1g 1:1.2.11.dfsg-4 squashfs-tools-ng recommends no packages. squashfs-tools-ng suggests no packages. -- no debconf information
