summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>2022-03-10 23:30:15 +0100
committerDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>2022-03-10 23:31:54 +0100
commit82f83c9515aaf99d12f6aa101c4d7b7463850e8b (patch)
tree574d82b3b089b4b697e073737341c36dfc8d73cb
parentf20ed9eef65cb9ce56f4a7abd07ad80979b888ad (diff)
Fix: guard against potential overflow in file size calculation
The block_count is a size_t, so on 32 bit platforms the multiplication might be truncated before the comparison with filesz. On 64 bit platforms, it could potentially also overflow the 64 bit bounds of the data type. Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
-rw-r--r--lib/sqfs/data_reader.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/sqfs/data_reader.c b/lib/sqfs/data_reader.c
index 2a4bf5a..e3a2eef 100644
--- a/lib/sqfs/data_reader.c
+++ b/lib/sqfs/data_reader.c
@@ -268,7 +268,10 @@ int sqfs_data_reader_get_fragment(sqfs_data_reader_t *data,
block_count = sqfs_inode_get_file_block_count(inode);
- if (block_count * data->block_size >= filesz)
+ if (block_count > (UINT64_MAX / data->block_size))
+ return SQFS_ERROR_OVERFLOW;
+
+ if ((sqfs_u64)block_count * data->block_size >= filesz)
return 0;
frag_sz = filesz % data->block_size;