From 5f7dd327a813c83f97f4a6128bb82c021ed870d8 Mon Sep 17 00:00:00 2001
From: Anton Moryakov <ant.v.moryakov@gmail.com>
Date: Tue, 28 Oct 2025 13:48:10 +0300
Subject: misc-utils: docfdisk.c: validate partition size to prevent arithmetic
 overflow

report of the static analyzer:
Possible integer overflow: right operand is tainted.
An integer overflow may occur due to arithmetic operation (addition)
between variable 'block' and value { [1, 4294967295] } of 'nblocks[i]',
when 'block' is equal to '1'

correct explained:
Added bounds check before incrementing block counter to ensure that
adding nblocks[i] does not exceed totblocks. This prevents potential
integer overflow when user-specified partition sizes are too large,
which could lead to incorrect partition table layout and device corruption.
The validation ensures safe arithmetic by checking block + nblocks[i] <= totblocks
using unsigned comparison.

Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
---
 misc-utils/docfdisk.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/misc-utils/docfdisk.c b/misc-utils/docfdisk.c
index 47e4ff9..7b936d5 100644
--- a/misc-utils/docfdisk.c
+++ b/misc-utils/docfdisk.c
@@ -260,6 +260,10 @@ int main(int argc, char **argv)
 			}
 			nblocks[i] = totblocks - block;
 		}
+		if (nblocks[i] > totblocks || block > totblocks - nblocks[i]) {
+			printf("Requested partition size exceeds available device space.\n");
+			return 1;
+		}
 		ip->virtualUnits = cpu_to_le32(nblocks[i]);
 		block += nblocks[i];
 		ip->lastUnit = cpu_to_le32(block-1);
-- 
cgit v1.2.3