[PATCH v1 1/2] tools: mkimage: fix get_basename crash on paths with dotted directories
Marek Vasut
marek.vasut at mailbox.org
Thu May 21 18:09:28 CEST 2026
On 5/21/26 4:34 AM, Aristo Chen wrote:
> The get_basename() helper in tools/fit_image.c searches the entire input
> path for the last '/' and the last '.' independently. When the last '.'
> falls at an offset earlier than the last '/' (for example "./mydt",
> "a.b/c", or "sub.d/leaf"), 'end' points before 'start' and the computed
> length is negative. The subsequent size check uses signed comparison so
> the negative value passes through unchanged, and memcpy() is then called
> with that length implicitly cast to size_t, which segfaults.
>
> Restrict the dot search to the substring that follows the last slash so
> that only an extension in the filename component can become the end of
> the basename. This matches the function's stated intent of stripping an
> extension from the leaf, and keeps the existing behaviour for typical
> inputs such as "arch/arm/dts/foo.dtb".
>
> Reproducer that previously segfaulted and now produces a valid image:
>
> echo dummy > kernel.bin
> echo dummy > ./mydt
> ./tools/mkimage -f auto -A arm -O linux -T kernel -C none \
> -a 0x80000000 -e 0x80000000 -n test \
> -d kernel.bin -b ./mydt out.itb
>
> Signed-off-by: Aristo Chen <aristo.chen at canonical.com>
> ---
> tools/fit_image.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/tools/fit_image.c b/tools/fit_image.c
> index 1dbc14c63e4..6c129117297 100644
> --- a/tools/fit_image.c
> +++ b/tools/fit_image.c
> @@ -265,8 +265,14 @@ static void get_basename(char *str, int size, const char *fname)
> */
> p = strrchr(fname, '/');
> start = p ? p + 1 : fname;
> - p = strrchr(fname, '.');
> - end = p ? p : fname + strlen(fname);
> + /*
> + * Search for the extension dot only within the basename. Searching
> + * the whole path would let a dot in the directory part (for example
> + * "./mydt" or "a.b/c") place 'end' before 'start' and produce a
> + * negative length, which the size check below does not catch.
> + */
> + p = strrchr(start, '.');
> + end = p ? p : start + strlen(start);
> len = end - start;
> if (len >= size)
> len = size - 1;
Why not call basename(3) directly in here ? Why reimplement it ?
More information about the U-Boot
mailing list