On Fri, 20 Feb 2026 14:48:08 -0500, Eric Kilmer wrote:
> sqfs_frag_lookup() reads a 16-bit metadata block header whose lower
> 15 bits encode the data size. Unlike sqfs_read_metablock() in
> sqfs_inode.c, this function does not validate that the decoded size is
> within SQFS_METADATA_BLOCK_SIZE (8192). A malformed SquashFS image can
> set the size field to any value up to 32767, causing memcpy to write
> past the 8192-byte 'entries' heap buffer.
>
> [...]
Applied to u-boot/next, thanks!
[1/1] fs/squashfs: fix heap buffer overflow in sqfs_frag_lookup()
commit: e365a269df5d01307390bdf7d6a1081d94b06470
--
Tom
