[PATCH] fastboot: Fix overflow when calculating chunk size

Tue May 25 17:45:03 CEST 2021

On 5/13/21 11:54 AM, Sean Anderson wrote:
> Hi Lukasz,
> 
> Can this make it into 2020.07? Thanks,

ping? Should Tom pick this up instead?

--Sean

> 
> --Sean
> 
> On 4/16/21 5:58 PM, Sean Anderson wrote:
>> If a chunk was larger than 4GiB, then chunk_data_sz would overflow and
>> blkcnt would not be calculated correctly. Upgrade it to a u64 and cast
>> its multiplicands as well. Also fix bytes_written while we're at it.
>>
>> Signed-off-by: Sean Anderson <sean.anderson at seco.com>
>> ---
>>
>>   lib/image-sparse.c | 12 ++++++------
>>   1 file changed, 6 insertions(+), 6 deletions(-)
>>
>> diff --git a/lib/image-sparse.c b/lib/image-sparse.c
>> index 187ac28cd3..52c8dcc08c 100644
>> --- a/lib/image-sparse.c
>> +++ b/lib/image-sparse.c
>> @@ -55,10 +55,10 @@ int write_sparse_image(struct sparse_storage *info,
>>       lbaint_t blk;
>>       lbaint_t blkcnt;
>>       lbaint_t blks;
>> -    uint32_t bytes_written = 0;
>> +    uint64_t bytes_written = 0;
>>       unsigned int chunk;
>>       unsigned int offset;
>> -    unsigned int chunk_data_sz;
>> +    uint64_t chunk_data_sz;
>>       uint32_t *fill_buf = NULL;
>>       uint32_t fill_val;
>>       sparse_header_t *sparse_header;
>> @@ -132,7 +132,7 @@ int write_sparse_image(struct sparse_storage *info,
>>                    sizeof(chunk_header_t));
>>           }
>> -        chunk_data_sz = sparse_header->blk_sz * chunk_header->chunk_sz;
>> +        chunk_data_sz = ((u64)sparse_header->blk_sz) * chunk_header->chunk_sz;
>>           blkcnt = chunk_data_sz / info->blksz;
>>           switch (chunk_header->chunk_type) {
>>           case CHUNK_TYPE_RAW:
>> @@ -162,7 +162,7 @@ int write_sparse_image(struct sparse_storage *info,
>>                   return -1;
>>               }
>>               blk += blks;
>> -            bytes_written += blkcnt * info->blksz;
>> +            bytes_written += ((u64)blkcnt) * info->blksz;
>>               total_blocks += chunk_header->chunk_sz;
>>               data += chunk_data_sz;
>>               break;
>> @@ -222,7 +222,7 @@ int write_sparse_image(struct sparse_storage *info,
>>                   blk += blks;
>>                   i += j;
>>               }
>> -            bytes_written += blkcnt * info->blksz;
>> +            bytes_written += ((u64)blkcnt) * info->blksz;
>>               total_blocks += chunk_data_sz / sparse_header->blk_sz;
>>               free(fill_buf);
>>               break;
>> @@ -253,7 +253,7 @@ int write_sparse_image(struct sparse_storage *info,
>>       debug("Wrote %d blocks, expected to write %d blocks\n",
>>             total_blocks, sparse_header->total_blks);
>> -    printf("........ wrote %u bytes to '%s'\n", bytes_written, part_name);
>> +    printf("........ wrote %llu bytes to '%s'\n", bytes_written, part_name);
>>       if (total_blocks != sparse_header->total_blks) {
>>           info->mssg("sparse image write failure", response);
>>