Hello,
On 1/9/26 12:24, Timo tp Preißl wrote:
An integer overflow in length calculation could lead to
under-allocation and buffer overcopy.
Signed-off-by: Timo tp Preißl <[email protected]>
---
fs/squashfs/sqfs.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 4d3d83b7587..f668c26472e 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -255,10 +255,14 @@ static char *sqfs_concat_tokens(char **token_list, int
token_count)
{
char *result;
int i, length = 0, offset = 0;
+ size_t alloc;
length = sqfs_get_tokens_length(token_list, token_count);
- result = malloc(length + 1);
+ if (__builtin_add_overflow(length, 1, &alloc))
+ return 0;
+
+ result = malloc(alloc);
if (!result)
return NULL;
Reviewed-by: João Marcos Costa <[email protected]>
Thanks for the fix!
--
Best regards,
João Marcos Costa
