[PATCH 3/4] fs: squashfs: prevent integer overflow in sqfs_concat_tokens()

Sun Dec 28 17:45:27 CET 2025

Signed-off-by: Timo tp Preißl <t.preissl at proton.me>
---
 fs/squashfs/sqfs.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 4d3d83b7587..e6a3e0fa9f2 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -254,11 +254,16 @@ static int sqfs_get_tokens_length(char **tokens, int count)
 static char *sqfs_concat_tokens(char **token_list, int token_count)
 {
 	char *result;
-	int i, length = 0, offset = 0;
+	size_t i, length = 0, offset = 0;
+	size_t alloc;
 
 	length = sqfs_get_tokens_length(token_list, token_count);
+	
+	if (__builtin_add_overflow(length, 1 , &alloc))
+        return 0;
 
-	result = malloc(length + 1);
+
+	result = malloc(alloc);
 	if (!result)
 		return NULL;
 
-- 
2.43.0


