Fix: guard against potential overflow in file size calculation

The block_count is a size_t, so on 32 bit platforms the multiplication might be truncated before the comparison with filesz. On 64 bit platforms, it could potentially also overflow the 64 bit bounds of the data type. Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
author: David Oberhollenzer <david.oberhollenzer@sigma-star.at> 2022-03-10 23:30:15 +0100
committer: David Oberhollenzer <david.oberhollenzer@sigma-star.at> 2022-03-10 23:31:54 +0100
commit: 82f83c9515aaf99d12f6aa101c4d7b7463850e8b (patch)
tree: 574d82b3b089b4b697e073737341c36dfc8d73cb
parent: f20ed9eef65cb9ce56f4a7abd07ad80979b888ad (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/sqfs/data_reader.c b/lib/sqfs/data_reader.c
index 2a4bf5a..e3a2eef 100644
--- a/lib/sqfs/data_reader.c
+++ b/lib/sqfs/data_reader.c
@@ -268,7 +268,10 @@ int sqfs_data_reader_get_fragment(sqfs_data_reader_t *data,
 
 	block_count = sqfs_inode_get_file_block_count(inode);
 
-	if (block_count * data->block_size >= filesz)
+	if (block_count > (UINT64_MAX / data->block_size))
+		return SQFS_ERROR_OVERFLOW;
+
+	if ((sqfs_u64)block_count * data->block_size >= filesz)
 		return 0;
 
 	frag_sz = filesz % data->block_size;
author	David Oberhollenzer <david.oberhollenzer@sigma-star.at>	2022-03-10 23:30:15 +0100
committer	David Oberhollenzer <david.oberhollenzer@sigma-star.at>	2022-03-10 23:31:54 +0100
commit	82f83c9515aaf99d12f6aa101c4d7b7463850e8b (patch)
tree	574d82b3b089b4b697e073737341c36dfc8d73cb
parent	f20ed9eef65cb9ce56f4a7abd07ad80979b888ad (diff)