cp: avoid data-corrupting free-memory-read

* src/extent-scan.c (extent_scan_read): Reset our last_ei
pointer whenever the parent buffer might have just been freed.
* tests/cp/fiemap-extent-FMR.sh: New test.
* tests/local.mk (all_tests): Add it.
* NEWS (Bug fixes): Mention it.
Reported by Mike Gerth in http://bugs.gnu.org/12656, and with
help from Alan Curry.  Bug introduced in commit v8.10-60-g18f5a85.

1 files changed, 9 insertions, 3 deletions

diff --git a/src/extent-scan.c b/src/extent-scan.c
index 0c25c5705..f96229855 100644
--- a/src/extent-scan.c
+++ b/src/extent-scan.c
@@ -89,7 +89,7 @@ extern bool
 extent_scan_read (struct extent_scan *scan)
 {
   unsigned int si = 0;
-  struct extent_info *last_ei IF_LINT ( = scan->ext_info);
+  struct extent_info *last_ei = scan->ext_info;
 
   while (true)
     {
@@ -127,8 +127,14 @@ extent_scan_read (struct extent_scan *scan)
 
       assert (scan->ei_count <= SIZE_MAX - fiemap->fm_mapped_extents);
       scan->ei_count += fiemap->fm_mapped_extents;
-      scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
-                                  sizeof (struct extent_info));
+      {
+        /* last_ei points into a buffer that may be freed via xnrealloc.
+           Record its offset and adjust after allocation.  */
+        size_t prev_idx = last_ei - scan->ext_info;
+        scan->ext_info = xnrealloc (scan->ext_info, scan->ei_count,
+                                    sizeof (struct extent_info));
+        last_ei = scan->ext_info + prev_idx;
+      }
 
       unsigned int i = 0;
       for (i = 0; i < fiemap->fm_mapped_extents; i++)