[PATCH v3 3/4] fs: prevent integer overflow in sqfs_concat
Joao Marcos Costa
joaomarcos.costa at bootlin.com
Fri Jan 9 14:15:04 CET 2026
Hello,
On 1/9/26 12:24, Timo tp Preißl wrote:
> An integer overflow in length calculation could lead to
> under-allocation and buffer overcopy.
>
> Signed-off-by: Timo tp Preißl <t.preissl at proton.me>
> ---
> fs/squashfs/sqfs.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
> index 4d3d83b7587..f668c26472e 100644
> --- a/fs/squashfs/sqfs.c
> +++ b/fs/squashfs/sqfs.c
> @@ -255,10 +255,14 @@ static char *sqfs_concat_tokens(char **token_list, int token_count)
> {
> char *result;
> int i, length = 0, offset = 0;
> + size_t alloc;
>
> length = sqfs_get_tokens_length(token_list, token_count);
>
> - result = malloc(length + 1);
> + if (__builtin_add_overflow(length, 1, &alloc))
> + return 0;
> +
> + result = malloc(alloc);
> if (!result)
> return NULL;
>
Reviewed-by: João Marcos Costa <joaomarcos.costa at bootlin.com>
Thanks for the fix!
--
Best regards,
João Marcos Costa
More information about the U-Boot
mailing list