[PATCH] fastboot: Fix overflow when calculating chunk size
Sean Anderson
sean.anderson at seco.com
Tue May 25 17:45:03 CEST 2021
On 5/13/21 11:54 AM, Sean Anderson wrote:
> Hi Lukasz,
>
> Can this make it into 2020.07? Thanks,
ping? Should Tom pick this up instead?
--Sean
>
> --Sean
>
> On 4/16/21 5:58 PM, Sean Anderson wrote:
>> If a chunk was larger than 4GiB, then chunk_data_sz would overflow and
>> blkcnt would not be calculated correctly. Upgrade it to a u64 and cast
>> its multiplicands as well. Also fix bytes_written while we're at it.
>>
>> Signed-off-by: Sean Anderson <sean.anderson at seco.com>
>> ---
>>
>> lib/image-sparse.c | 12 ++++++------
>> 1 file changed, 6 insertions(+), 6 deletions(-)
>>
>> diff --git a/lib/image-sparse.c b/lib/image-sparse.c
>> index 187ac28cd3..52c8dcc08c 100644
>> --- a/lib/image-sparse.c
>> +++ b/lib/image-sparse.c
>> @@ -55,10 +55,10 @@ int write_sparse_image(struct sparse_storage *info,
>> lbaint_t blk;
>> lbaint_t blkcnt;
>> lbaint_t blks;
>> - uint32_t bytes_written = 0;
>> + uint64_t bytes_written = 0;
>> unsigned int chunk;
>> unsigned int offset;
>> - unsigned int chunk_data_sz;
>> + uint64_t chunk_data_sz;
>> uint32_t *fill_buf = NULL;
>> uint32_t fill_val;
>> sparse_header_t *sparse_header;
>> @@ -132,7 +132,7 @@ int write_sparse_image(struct sparse_storage *info,
>> sizeof(chunk_header_t));
>> }
>> - chunk_data_sz = sparse_header->blk_sz * chunk_header->chunk_sz;
>> + chunk_data_sz = ((u64)sparse_header->blk_sz) * chunk_header->chunk_sz;
>> blkcnt = chunk_data_sz / info->blksz;
>> switch (chunk_header->chunk_type) {
>> case CHUNK_TYPE_RAW:
>> @@ -162,7 +162,7 @@ int write_sparse_image(struct sparse_storage *info,
>> return -1;
>> }
>> blk += blks;
>> - bytes_written += blkcnt * info->blksz;
>> + bytes_written += ((u64)blkcnt) * info->blksz;
>> total_blocks += chunk_header->chunk_sz;
>> data += chunk_data_sz;
>> break;
>> @@ -222,7 +222,7 @@ int write_sparse_image(struct sparse_storage *info,
>> blk += blks;
>> i += j;
>> }
>> - bytes_written += blkcnt * info->blksz;
>> + bytes_written += ((u64)blkcnt) * info->blksz;
>> total_blocks += chunk_data_sz / sparse_header->blk_sz;
>> free(fill_buf);
>> break;
>> @@ -253,7 +253,7 @@ int write_sparse_image(struct sparse_storage *info,
>> debug("Wrote %d blocks, expected to write %d blocks\n",
>> total_blocks, sparse_header->total_blks);
>> - printf("........ wrote %u bytes to '%s'\n", bytes_written, part_name);
>> + printf("........ wrote %llu bytes to '%s'\n", bytes_written, part_name);
>> if (total_blocks != sparse_header->total_blks) {
>> info->mssg("sparse image write failure", response);
>>
More information about the U-Boot
mailing list