From 82f83c9515aaf99d12f6aa101c4d7b7463850e8b Mon Sep 17 00:00:00 2001 From: David Oberhollenzer Date: Thu, 10 Mar 2022 23:30:15 +0100 Subject: Fix: guard against potential overflow in file size calculation The block_count is a size_t, so on 32 bit platforms the multiplication might be truncated before the comparison with filesz. On 64 bit platforms, it could potentially also overflow the 64 bit bounds of the data type. Signed-off-by: David Oberhollenzer --- lib/sqfs/data_reader.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/sqfs') diff --git a/lib/sqfs/data_reader.c b/lib/sqfs/data_reader.c index 2a4bf5a..e3a2eef 100644 --- a/lib/sqfs/data_reader.c +++ b/lib/sqfs/data_reader.c @@ -268,7 +268,10 @@ int sqfs_data_reader_get_fragment(sqfs_data_reader_t *data, block_count = sqfs_inode_get_file_block_count(inode); - if (block_count * data->block_size >= filesz) + if (block_count > (UINT64_MAX / data->block_size)) + return SQFS_ERROR_OVERFLOW; + + if ((sqfs_u64)block_count * data->block_size >= filesz) return 0; frag_sz = filesz % data->block_size; -- cgit v1.2.3