[PATCH v2 3/4] fs: prevent integer overflow in sqfs_concat
Simon Glass
sjg at chromium.org
Thu Jan 8 20:59:12 CET 2026
Hi Timo,
On Wed, 31 Dec 2025 at 06:19, Timo tp Preißl <t.preissl at proton.me> wrote:
>
> An integer overflow in length calculation could lead to
> under-allocation and buffer overcopy.
>
> Signed-off-by: Timo tp Preißl <t.preissl at proton.me>
> ---
> fs/squashfs/sqfs.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
> index 4d3d83b7587..1dc63257fb9 100644
> --- a/fs/squashfs/sqfs.c
> +++ b/fs/squashfs/sqfs.c
> @@ -254,11 +254,15 @@ static int sqfs_get_tokens_length(char **tokens, int count)
> static char *sqfs_concat_tokens(char **token_list, int token_count)
> {
> char *result;
> - int i, length = 0, offset = 0;
> + size_t i, length = 0, offset = 0;
> + size_t alloc;
>
token_count is an int, so I think 'i' should stay as one?
> length = sqfs_get_tokens_length(token_list, token_count);
>
> - result = malloc(length + 1);
> + if (__builtin_add_overflow(length, 1, &alloc))
> + return 0;
> +
> + result = malloc(alloc);
> if (!result)
> return NULL;
>
> --
> 2.43.0
>
>
Regards,
Simon
More information about the U-Boot
mailing list