diff options
| author | Anton Moryakov <ant.v.moryakov@gmail.com> | 2024-12-24 15:27:09 +0300 |
|---|---|---|
| committer | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2024-12-24 17:22:12 +0100 |
| commit | c01a38b3441b7a638137aa99c4ddd410a8dc4468 (patch) | |
| tree | 4e1698f3df21873d1017e7ab2d2988ad5f938fc9 | |
| parent | 117efd252bc485084a609c405c312f5a9229e25a (diff) | |
jffsX-utils: fix integer overflow in jffs2dump.c
Report of the static analyzer:
The value of an arithmetic expression 'datsize + oobsize' is a subject to overflow because its operands are not cast to a larger data type before performing arithmetic.
Corrections explained:
- Added a check to validate datsize and oobsize to ensure they are non-negative and within a safe range.
- Cast datsize and oobsize to long before performing arithmetic to prevent potential integer overflow.
This change ensures safe computation of offsets and prevents undefined behavior caused by overflow.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
| -rw-r--r-- | jffsX-utils/jffs2dump.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/jffsX-utils/jffs2dump.c b/jffsX-utils/jffs2dump.c index 30455ea..b757ebe 100644 --- a/jffsX-utils/jffs2dump.c +++ b/jffsX-utils/jffs2dump.c @@ -772,6 +772,13 @@ int main(int argc, char **argv) exit(EXIT_FAILURE); } + if (datsize < 0 || oobsize < 0 || datsize > imglen || (long)datsize + oobsize < 0) { + fprintf(stderr, "Error: invalid datsize/oobsize.\n"); + free(data); + close (fd); + exit(EXIT_FAILURE); + } + if (datsize && oobsize) { int idx = 0; long len = imglen; @@ -783,7 +790,7 @@ int main(int argc, char **argv) read_nocheck (fd, oob, oobsize); idx += datsize; imglen -= oobsize; - len -= datsize + oobsize; + len -= (long)datsize + oobsize; } } else { |