From f5df66531d2f98413d52f44dcee535f466cacd8d Mon Sep 17 00:00:00 2001
From: Ondřej Vašík <ovasik@redhat.com>
Date: Nov 05 2012 13:03:54 +0000
Subject: cp: avoid data-corrupting free-memory-read (upstream fix)


---

diff --git a/coreutils-8.17-cp-freememoryread.patch b/coreutils-8.17-cp-freememoryread.patch
new file mode 100644
index 0000000..be4a429
--- /dev/null
+++ b/coreutils-8.17-cp-freememoryread.patch
@@ -0,0 +1,29 @@
+diff -urNp coreutils-8.17-orig/src/extent-scan.c coreutils-8.17/src/extent-scan.c
+--- coreutils-8.17-orig/src/extent-scan.c	2012-05-02 10:31:47.000000000 +0200
++++ coreutils-8.17/src/extent-scan.c	2012-11-05 12:05:36.732370966 +0100
+@@ -89,7 +89,7 @@ extern bool
+ extent_scan_read (struct extent_scan *scan)
+ {
+   unsigned int si = 0;
+-  struct extent_info *last_ei IF_LINT ( = scan->ext_info);
++  struct extent_info *last_ei = scan->ext_info;
+ 
+   while (true)
+     {
+@@ -127,8 +127,14 @@ extent_scan_read (struct extent_scan *sc
+ 
+       assert (scan->ei_count <= SIZE_MAX - fiemap->fm_mapped_extents);
+       scan->ei_count += fiemap->fm_mapped_extents;
+-      scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
+-                                  sizeof (struct extent_info));
++      {
++        /* last_ei points into a buffer that may be freed via xnrealloc.
++           Record its offset and adjust after allocation. */
++        size_t prev_idx = last_ei - scan->ext_info;
++        scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
++        sizeof (struct extent_info));
++        last_ei = scan->ext_info + prev_idx;
++      }
+ 
+       unsigned int i = 0;
+       for (i = 0; i < fiemap->fm_mapped_extents; i++)