diff options
| author | Anton Moryakov <ant.v.moryakov@gmail.com> | 2025-10-28 01:50:32 +0300 |
|---|---|---|
| committer | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2026-04-13 08:42:56 +0200 |
| commit | 3528028a687820eebe2a94013d6ec3a052b4c20e (patch) | |
| tree | b6280f7d088f55b1776267e59091503216ebe78c /misc-utils | |
| parent | a505a2cc56acf493607fdf24cbf129393a0873fa (diff) | |
misc-utils: docfdisk.c: fix potential integer underflow in partition size calculation
report of the static analyzer:
Possible integer underflow: right operand is tainted.
An integer underflow may occur due to arithmetic
operation (unsigned subtraction) between
variables 'totblocks' and 'block', where 'totblocks'
is in range { [0, 4294967295] }, and 'block' is tainted { [0, 4294967295] }
correct explained:
Added validation check before calculating remaining
space for partition. The issue occurred when setting
the last partition size to 0, which triggers calculation
'totblocks - block'. Without validation, if block >= totblocks,
this would result in integer underflow due to unsigned
arithmetic, potentially creating a partition with enormous
size and leading to device corruption.
Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Diffstat (limited to 'misc-utils')
| -rw-r--r-- | misc-utils/docfdisk.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/misc-utils/docfdisk.c b/misc-utils/docfdisk.c index 486ce29..47e4ff9 100644 --- a/misc-utils/docfdisk.c +++ b/misc-utils/docfdisk.c @@ -253,8 +253,13 @@ int main(int argc, char **argv) for (i = 0; i < npart; i++) { ip = &(mh->Partitions[i]); ip->firstUnit = cpu_to_le32(block); - if (!nblocks[i]) + if (!nblocks[i]) { + if (block >= totblocks) { + printf("No space left on device for partition.\n"); + return 1; + } nblocks[i] = totblocks - block; + } ip->virtualUnits = cpu_to_le32(nblocks[i]); block += nblocks[i]; ip->lastUnit = cpu_to_le32(block-1); |