diff options
| author | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2022-03-10 23:30:15 +0100 |
|---|---|---|
| committer | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2022-03-30 23:08:08 +0200 |
| commit | 3afa0946239b31bf0487bb972e701cc85942445d (patch) | |
| tree | 6804f4b5ac994d84b99962afef4235fb1dc57121 /lib/sqfs/data_reader.c | |
| parent | 589beda5d919037310793d9751c7be8e3d0521a1 (diff) | |
Fix: guard against potential overflow in file size calculation
The block_count is a size_t, so on 32 bit platforms the multiplication
might be truncated before the comparison with filesz.
On 64 bit platforms, it could potentially also overflow the 64 bit
bounds of the data type.
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
Diffstat (limited to 'lib/sqfs/data_reader.c')
| -rw-r--r-- | lib/sqfs/data_reader.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/lib/sqfs/data_reader.c b/lib/sqfs/data_reader.c index 2a4bf5a..e3a2eef 100644 --- a/lib/sqfs/data_reader.c +++ b/lib/sqfs/data_reader.c @@ -268,7 +268,10 @@ int sqfs_data_reader_get_fragment(sqfs_data_reader_t *data, block_count = sqfs_inode_get_file_block_count(inode); - if (block_count * data->block_size >= filesz) + if (block_count > (UINT64_MAX / data->block_size)) + return SQFS_ERROR_OVERFLOW; + + if ((sqfs_u64)block_count * data->block_size >= filesz) return 0; frag_sz = filesz % data->block_size; |