diff options
| author | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2022-03-10 23:30:15 +0100 |
|---|---|---|
| committer | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2022-03-10 23:31:54 +0100 |
| commit | 82f83c9515aaf99d12f6aa101c4d7b7463850e8b (patch) | |
| tree | 574d82b3b089b4b697e073737341c36dfc8d73cb | |
| parent | f20ed9eef65cb9ce56f4a7abd07ad80979b888ad (diff) | |
Fix: guard against potential overflow in file size calculation
The block_count is a size_t, so on 32 bit platforms the multiplication
might be truncated before the comparison with filesz.
On 64 bit platforms, it could potentially also overflow the 64 bit
bounds of the data type.
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
| -rw-r--r-- | lib/sqfs/data_reader.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/sqfs/data_reader.c b/lib/sqfs/data_reader.c index 2a4bf5a..e3a2eef 100644 --- a/lib/sqfs/data_reader.c +++ b/lib/sqfs/data_reader.c @@ -268,7 +268,10 @@ int sqfs_data_reader_get_fragment(sqfs_data_reader_t *data, block_count = sqfs_inode_get_file_block_count(inode); - if (block_count * data->block_size >= filesz) + if (block_count > (UINT64_MAX / data->block_size)) + return SQFS_ERROR_OVERFLOW; + + if ((sqfs_u64)block_count * data->block_size >= filesz) return 0; frag_sz = filesz % data->block_size; |