Miscellaneous C99-compatible changes#134
Open
throwaway96 wants to merge 27 commits intoopenlgtv:masterfrom
Open
Miscellaneous C99-compatible changes#134throwaway96 wants to merge 27 commits intoopenlgtv:masterfrom
throwaway96 wants to merge 27 commits intoopenlgtv:masterfrom
Conversation
smx-smx
reviewed
Feb 3, 2026
|
|
||
| if(is_nfsb_mem(file, 0)) | ||
| /* The minimum size for the data checked here seems to be 17. */ | ||
| if ((msize(file) > 17) && is_nfsb_mem(file, 0)) { |
Member
There was a problem hiding this comment.
for the future: we could perhaps use something similar to the existing cursor_t type, so that we always do safe reads (similar to C# Span)
smx-smx
reviewed
Feb 3, 2026
smx-smx
approved these changes
Feb 3, 2026
throwaway96
force-pushed
the
misc-c99-compatible-202602
branch
from
0156e96 to
79b3927
Compare
There was a problem hiding this comment.
Pull request overview
This PR bundles several small C99-oriented robustness and cleanup changes across the extractor, focused on preventing crashes on small/empty inputs, improving key/signature handling, and making the -n flag disable auto-extraction for more filesystem types (not just SquashFS).
Changes:
- Add size/bounds checks before probing file “magic” values (e.g., LZ4, Philips Fusion1, cramfs, symfile, MTK PKG cases).
- Refactor crypto/key handling and modernize signatures/compare helpers to use
boolandconstwhere appropriate. - Replace
noAutoUnsquashfswith a broadernoAutoExtractFsoption and gate additional filesystem auto-extraction paths.
Reviewed changes
Copilot reviewed 21 out of 21 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| src/util.c | Adds size checks and refactors helpers (datetime/part-type detection); updates kernel extraction I/O. |
| src/util_crypto.c | Refactors key-file handling and AES key scanning; updates types to bool/const. |
| src/symfile.c | Adds a minimum-size guard before mapping SYM files. |
| src/philips.c | Adds a minimum-size guard before checking the Philips Fusion1 magic. |
| src/mfile.c | Extends _mopen/mopen_private with a writable concept for private mappings. |
| src/mediatek_pkg.c | Tightens size checks and updates calls to the refactored crypto APIs. |
| src/main.c | Renames the -n behavior to apply to multiple filesystem extraction paths. |
| src/lzo-lg.c | Removes an unused variable read from the stream. |
| src/epk3.c | Updates compare callbacks and printf formats for portability; minor control-flow cleanup. |
| src/epk2.c | Updates compare callbacks and adapts to boolean crypto wrapper return values. |
| src/epk1.c | Improves const-correctness and uses snprintf; plugs a leak in one branch. |
| src/epk.c | Refactors header-type detection and switches crypto wrapper APIs to bool/const; adjusts OpenSSL usage. |
| src/cramfs/uncramfs.c | Adds a minimum-size guard before mapping cramfs images. |
| include/util.h | Updates is_datetime to return bool. |
| include/util_crypto.h | Updates CompareFunc and key-finder signature to use bool/const. |
| include/mfile.h | Adds bool and updates mopen_private signature. |
| include/main.h | Updates handle_file declaration (currently mismatched with implementation). |
| include/epk3.h | Updates compare function prototypes to bool/const. |
| include/epk2.h | Updates compare function prototypes to bool/const. |
| include/epk.h | Updates crypto wrapper prototypes to bool/const and adds an INVALID enum value. |
| include/config.h | Renames noAutoUnsquashfs to noAutoExtractFs. |
Comments suppressed due to low confidence (2)
src/symfile.c:94
mmapfailure is checked incorrectly:mmap()returnsMAP_FAILED(notNULL) on error, so the currentif (header == NULL)check won’t catch failures and will later dereference an invalid pointer. Checkp == MAP_FAILED(and closefd) before using the mapping.
if (st_buf.st_size < sizeof(*header)) {
close(fd);
return -1;
}
p = mmap(NULL, st_buf.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
header = p;
p += sizeof(*header);
if (header == NULL) {
fprintf(stderr, "can't mmap `%s': %m\n", fname);
return -1;
}
src/util.c:281
is_nfsb_memperformsmemcmpatdata + 0x1Afor up to 6 bytes (and also reads the 4-byte magic), but it doesn’t validate thatoffset + 0x1A + 6 <= msize(file)before doing so. Since this helper is called with non-zero offsets (e.g., Sharp PKG handling), it can still read past the mapping and crash on small inputs. Add a bounds check up front and returnfalseif the file is too small for the maximum probe offset.
bool is_nfsb_mem(MFILE *file, off_t offset){
uint8_t *data = &(mdata(file, uint8_t))[offset];
if(memcmp(data, "NFSB", 4) != 0){
return false;
}
/* XXX: This needs to check the length of the file before reading anything.*/
const char algo_md5[] = "md5";
const char algo_sha256[] = "sha256";
const int offsets[] = { 0x0E, 0x1A };
const char *algos[] = { algo_md5, algo_sha256 };
const int lengths[] = { sizeof(algo_md5) - 1, sizeof(algo_sha256) - 1 };
const int num_offsets = countof(offsets);
const int num_algos = countof(algos);
for(int i=0; i<num_algos; i++){
for(int j=0; j<num_offsets; j++){
if(memcmp(data + offsets[j], algos[i], lengths[i]) == 0){
return true;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
throwaway96
force-pushed
the
misc-c99-compatible-202602
branch
from
79b3927 to
e0233e4
Compare
Added some error handling. Tried to choose better types. Also made some modifications to util.h and common.h.
throwaway96
force-pushed
the
misc-c99-compatible-202602
branch
from
e0233e4 to
b72ae38
Compare
CompareFunc now takes a const pointer and returns bool. Separated get_epak_header_type() out from compare_epak_header() and added INVALID to FILE_TYPE_T for when get_epak_header_type() does not find a match.
Mostly relatively straightforward type fixes/changes, including some format specifier incompatibility.
EVP_VerifyFinal() returns -1 on error, and therefore so did API_SWU_VerifyImage(). The check in wrap_SWU_VerifyImage() would treat a return value of -1 as success, meaning it could treat an invalid signature as having been successfully verified.
These probably shouldn't even be switches.
Added size checks to the following functions: - is_mtk_pkg - is_philips_fusion1 - is_nfsb - is_lz4 - is_cramfs_image (exited rather than crashing) - symfile_load These checks are incredibly basic and likely to miss many issues, but they at least stop crashes on zero-length files.
Bug fixes in wrap_decryptimage(): - Fix leak of KeyPair returned by find_AES_key() - Fix leak of decryptedData when type == EPK - Fix potential NULL dereference of decryptedData Bug fixes in extractEPKfile(): - Fix missing mclose() on error Refactoring: - Remove wrap_decryptimage() outType parameter - Change return types to bool - Change global variables to function-scope statics - Pass aesKey explicitly to decryptImage()
throwaway96
force-pushed
the
misc-c99-compatible-202602
branch
from
b72ae38 to
d2319de
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains most of my minor commits, except for the ones that (more or less) require C11.
The fixes include not crashing on empty input files, eliminating a memory leak in EPKv1 extraction, and making the
-nswitch apply to filesystems other than Squashfs.I've been personally using these for almost 2 years now. In that time, I've extracted a lot of EPKv3 files; the rest, not so much.