From 3528028a687820eebe2a94013d6ec3a052b4c20e Mon Sep 17 00:00:00 2001 From: Anton Moryakov Date: Tue, 28 Oct 2025 01:50:32 +0300 Subject: misc-utils: docfdisk.c: fix potential integer underflow in partition size calculation report of the static analyzer: Possible integer underflow: right operand is tainted. An integer underflow may occur due to arithmetic operation (unsigned subtraction) between variables 'totblocks' and 'block', where 'totblocks' is in range { [0, 4294967295] }, and 'block' is tainted { [0, 4294967295] } correct explained: Added validation check before calculating remaining space for partition. The issue occurred when setting the last partition size to 0, which triggers calculation 'totblocks - block'. Without validation, if block >= totblocks, this would result in integer underflow due to unsigned arithmetic, potentially creating a partition with enormous size and leading to device corruption. Signed-off-by: Anton Moryakov Signed-off-by: David Oberhollenzer --- misc-utils/docfdisk.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/misc-utils/docfdisk.c b/misc-utils/docfdisk.c index 486ce29..47e4ff9 100644 --- a/misc-utils/docfdisk.c +++ b/misc-utils/docfdisk.c @@ -253,8 +253,13 @@ int main(int argc, char **argv) for (i = 0; i < npart; i++) { ip = &(mh->Partitions[i]); ip->firstUnit = cpu_to_le32(block); - if (!nblocks[i]) + if (!nblocks[i]) { + if (block >= totblocks) { + printf("No space left on device for partition.\n"); + return 1; + } nblocks[i] = totblocks - block; + } ip->virtualUnits = cpu_to_le32(nblocks[i]); block += nblocks[i]; ip->lastUnit = cpu_to_le32(block-1); -- cgit v1.2.3