cpiofs: Buffer overflows and memory leak fixed

["Andrew V. Samoilov" <kai cmail ru>]

Hi!

This patch was proposed by drk sgi com and applied some time ago.
I don't know name of this person, but s/he proposed a number
of useful patches. Thanks a lot!

BTW, I have a number of cpio archives which enforce cpiofs to exit mc.
They have old ascii format (CPIO_OLDC, 3), but this one is not handled
in cpio_skip_padding and so g_assert_not_reached raises.

Old cpiofs without this g_assert_not_reached can manage these archives.
CPIO_OLDC is handled in cpio_read_header and cpio_find_header,
so I think patch can be trivial.

Regards,
Andrew.

ChangeLog:
	* cpio.c (cpio_read_crc_head): Fix buffer overflow.
	(cpio_read_oldc_head): Likewise. By drk sgi com 
	http://bugzilla.gnome.org/show_bug.cgi?id=60933

	* (cpio_read_oldc_head): Release name if mc_read fails.

--- vfs/cpio.c	Mon Mar  5 03:20:03 2001
+++ vfs/cpio.c	Thu Oct 25 17:28:04 2001
@@ -300,7 +300,7 @@
     if((len = mc_read(super->u.cpio.fd, (void *)buf, HEAD_LENGTH)) < HEAD_LENGTH)
 	return STATUS_EOF;
     CPIO_POS(super) += len;
-    buf[HEAD_LENGTH + 1] = 0;
+    buf[HEAD_LENGTH] = 0;
 
     if(sscanf((void *)buf, "070707%6lo%6lo%6lo%6lo%6lo%6lo%6lo%11lo%6lo%11lo",
 	      &hd.c_dev, &hd.c_ino, &hd.c_mode, &hd.c_uid, &hd.c_gid,
@@ -311,9 +311,10 @@
     }
 
     name = g_malloc(hd.c_namesize);
-    if((len = mc_read(super->u.cpio.fd, name, hd.c_namesize)) < hd.c_namesize)
+    if((len = mc_read(super->u.cpio.fd, name, hd.c_namesize)) < hd.c_namesize) {
+	g_free (name);
 	return STATUS_EOF;
-
+    }
     CPIO_POS(super) +=  len;
     cpio_skip_padding(super);
 
@@ -348,7 +349,7 @@
     if((len = mc_read(super->u.cpio.fd, buf, HEAD_LENGTH)) < HEAD_LENGTH)
 	return STATUS_EOF;
     CPIO_POS(super) += len;
-    buf[HEAD_LENGTH + 1] = 0;
+    buf[HEAD_LENGTH] = 0;
 
     if(sscanf(buf, "%6ho%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx%8lx",
 	      &hd.c_magic, &hd.c_ino, &hd.c_mode, &hd.c_uid, &hd.c_gid,