On Fri, 9 Jan 2026 at 06:08, Timo tp Preißl <[email protected]> wrote: > > An integer overflow in length calculation could lead to > under-allocation and buffer overcopy. > > Signed-off-by: Timo tp Preißl <[email protected]> > --- > fs/squashfs/sqfs.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) >
Reviewed-by: Simon Glass <[email protected]> > diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c > index 4d3d83b7587..f668c26472e 100644 > --- a/fs/squashfs/sqfs.c > +++ b/fs/squashfs/sqfs.c > @@ -255,10 +255,14 @@ static char *sqfs_concat_tokens(char **token_list, int > token_count) > { > char *result; > int i, length = 0, offset = 0; > + size_t alloc; > > length = sqfs_get_tokens_length(token_list, token_count); > > - result = malloc(length + 1); > + if (__builtin_add_overflow(length, 1, &alloc)) > + return 0; > + > + result = malloc(alloc); > if (!result) > return NULL; > > -- > 2.43.0 > >
