summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>2022-03-10 23:30:15 +0100
committerDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>2022-03-30 23:08:08 +0200
commit3afa0946239b31bf0487bb972e701cc85942445d (patch)
tree6804f4b5ac994d84b99962afef4235fb1dc57121
parent589beda5d919037310793d9751c7be8e3d0521a1 (diff)
Fix: guard against potential overflow in file size calculation
The block_count is a size_t, so on 32 bit platforms the multiplication might be truncated before the comparison with filesz. On 64 bit platforms, it could potentially also overflow the 64 bit bounds of the data type. Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
-rw-r--r--lib/sqfs/data_reader.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/sqfs/data_reader.c b/lib/sqfs/data_reader.c
index 2a4bf5a..e3a2eef 100644
--- a/lib/sqfs/data_reader.c
+++ b/lib/sqfs/data_reader.c
@@ -268,7 +268,10 @@ int sqfs_data_reader_get_fragment(sqfs_data_reader_t *data,
block_count = sqfs_inode_get_file_block_count(inode);
- if (block_count * data->block_size >= filesz)
+ if (block_count > (UINT64_MAX / data->block_size))
+ return SQFS_ERROR_OVERFLOW;
+
+ if ((sqfs_u64)block_count * data->block_size >= filesz)
return 0;
frag_sz = filesz % data->block_size;