[PATCH] fastboot: Fix overflow when calculating chunk size
Lukasz Majewski
lukma at denx.de
Wed May 26 09:12:30 CEST 2021
Hi Sean,
> On 5/13/21 11:54 AM, Sean Anderson wrote:
> > Hi Lukasz,
> >
> > Can this make it into 2020.07? Thanks,
>
> ping? Should Tom pick this up instead?
>
Yes, Tom please pick it up - as I will not prepare PR sooner than June.
> --Sean
>
> >
> > --Sean
> >
> > On 4/16/21 5:58 PM, Sean Anderson wrote:
> >> If a chunk was larger than 4GiB, then chunk_data_sz would overflow
> >> and blkcnt would not be calculated correctly. Upgrade it to a u64
> >> and cast its multiplicands as well. Also fix bytes_written while
> >> we're at it.
> >>
> >> Signed-off-by: Sean Anderson <sean.anderson at seco.com>
> >> ---
> >>
> >> lib/image-sparse.c | 12 ++++++------
> >> 1 file changed, 6 insertions(+), 6 deletions(-)
> >>
> >> diff --git a/lib/image-sparse.c b/lib/image-sparse.c
> >> index 187ac28cd3..52c8dcc08c 100644
> >> --- a/lib/image-sparse.c
> >> +++ b/lib/image-sparse.c
> >> @@ -55,10 +55,10 @@ int write_sparse_image(struct sparse_storage
> >> *info, lbaint_t blk;
> >> lbaint_t blkcnt;
> >> lbaint_t blks;
> >> - uint32_t bytes_written = 0;
> >> + uint64_t bytes_written = 0;
> >> unsigned int chunk;
> >> unsigned int offset;
> >> - unsigned int chunk_data_sz;
> >> + uint64_t chunk_data_sz;
> >> uint32_t *fill_buf = NULL;
> >> uint32_t fill_val;
> >> sparse_header_t *sparse_header;
> >> @@ -132,7 +132,7 @@ int write_sparse_image(struct sparse_storage
> >> *info, sizeof(chunk_header_t));
> >> }
> >> - chunk_data_sz = sparse_header->blk_sz *
> >> chunk_header->chunk_sz;
> >> + chunk_data_sz = ((u64)sparse_header->blk_sz) *
> >> chunk_header->chunk_sz; blkcnt = chunk_data_sz / info->blksz;
> >> switch (chunk_header->chunk_type) {
> >> case CHUNK_TYPE_RAW:
> >> @@ -162,7 +162,7 @@ int write_sparse_image(struct sparse_storage
> >> *info, return -1;
> >> }
> >> blk += blks;
> >> - bytes_written += blkcnt * info->blksz;
> >> + bytes_written += ((u64)blkcnt) * info->blksz;
> >> total_blocks += chunk_header->chunk_sz;
> >> data += chunk_data_sz;
> >> break;
> >> @@ -222,7 +222,7 @@ int write_sparse_image(struct sparse_storage
> >> *info, blk += blks;
> >> i += j;
> >> }
> >> - bytes_written += blkcnt * info->blksz;
> >> + bytes_written += ((u64)blkcnt) * info->blksz;
> >> total_blocks += chunk_data_sz /
> >> sparse_header->blk_sz; free(fill_buf);
> >> break;
> >> @@ -253,7 +253,7 @@ int write_sparse_image(struct sparse_storage
> >> *info, debug("Wrote %d blocks, expected to write %d blocks\n",
> >> total_blocks, sparse_header->total_blks);
> >> - printf("........ wrote %u bytes to '%s'\n", bytes_written,
> >> part_name);
> >> + printf("........ wrote %llu bytes to '%s'\n", bytes_written,
> >> part_name); if (total_blocks != sparse_header->total_blks) {
> >> info->mssg("sparse image write failure", response);
> >>
Best regards,
Lukasz Majewski
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-59 Fax: (+49)-8142-66989-80 Email: lukma at denx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20210526/bee75fab/attachment.sig>
More information about the U-Boot
mailing list