fritz-tools: fix out-of-bounds memset in TFFS segment expansion

When growing the segment array in find_entry(), the memset() that zeroes
the newly allocated slots computed the destination with redundant sizeof
scaling:

  memset(segments + (num_segments * sizeof(struct tffs_entry_segment)), ...)

segments is a typed pointer, so pointer arithmetic already scales by the
element size. Multiplying the offset by sizeof again advances the
destination by num_segments * sizeof^2 bytes, landing far outside the
realloc()'d buffer and zeroing unrelated heap memory whenever a TFFS
entry spans multiple segments that require array expansion.

Drop the redundant multiplication so the memset targets segments[num_segments].

This is a robustness fix for malformed/corrupt TFFS content; the parser
only reads the on-device nand-tffs MTD partition as root, so it is not
considered security relevant.

Reported-by: @Vasco0x4
Assisted-by: Claude:claude-opus-4-8
Link: https://github.com/openwrt/openwrt/pull/23763
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/package/utils/fritz-tools/Makefile b/package/utils/fritz-tools/Makefile
index b43fe20e9e75555be5ca7902cae69673297e95ee..4cb196bbfe55b73c3f5f4a243f1416b49e496c77 100644 (file)
--- a/package/utils/fritz-tools/Makefile
+++ b/package/utils/fritz-tools/Makefile
@@ -1,7 +1,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=fritz-tools
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 CMAKE_INSTALL:=1
 
 include $(INCLUDE_DIR)/package.mk

diff --git a/package/utils/fritz-tools/src/fritz_tffs_nand_read.c b/package/utils/fritz-tools/src/fritz_tffs_nand_read.c
index 05179bb423bbee18138660fe12e9e2a53d17eaf5..65d405063ecb92e72df0290988e2dbbf2ef1fc8e 100644 (file)
--- a/package/utils/fritz-tools/src/fritz_tffs_nand_read.c
+++ b/package/utils/fritz-tools/src/fritz_tffs_nand_read.c
@@ -245,7 +245,7 @@ static int find_entry(uint32_t id, struct tffs_entry *entry)
                                uint32_t new_num_segs = next_seg == 0 ? seg + 1 : next_seg + 1;
                                if (new_num_segs > num_segments) {
                                        segments = realloc(segments, new_num_segs * sizeof(struct tffs_entry_segment));
-                                       memset(segments + (num_segments * sizeof(struct tffs_entry_segment)), 0x0,
+                                       memset(segments + num_segments, 0x0,
                                                        (new_num_segs - num_segments) * sizeof(struct tffs_entry_segment));
                                        num_segments = new_num_segs;
                                }