[PATCH mtd-utils] ubi-utils: Fix integer overflow in mtdinfo.c

Zhihao Cheng chengzhihao1 at huawei.com
Sat Dec 14 04:19:07 PST 2024 

在 2024/12/14 18:51, Anton Moryakov 写道:
> Report of the static analyzer:
> The value of an arithmetic expression 'reginfo->offset + i * reginfo->erasesize' is a subject to overflow
> because its operands are not cast to a larger data type before performing arithmetic
> 
> Corrections explained:
> Added casting i and start to unsigned long long
> 
> Triggers found by static analyzer Svace.
> 
> Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
> 
> ---
>   ubi-utils/mtdinfo.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
> index 7dff0de..850297b 100644
> --- a/ubi-utils/mtdinfo.c
> +++ b/ubi-utils/mtdinfo.c
> @@ -203,7 +203,7 @@ static void print_region_map(const struct mtd_dev_info *mtd, int fd,
>   		ret_locked = ret_bad = errno_locked = errno_bad = 0;
>   
>   	for (i = 0; i < reginfo->numblocks; ++i) {
> -		start = reginfo->offset + i * reginfo->erasesize;
> +		(unsigned long long)start = reginfo->offset + (unsigned long long)i * reginfo->erasesize;
>   		printf(" %*i: %08lx ", width, i, start);
>   
>   		if (ret_locked != -1) {
> 

What I mean is modifying like following:

diff --git a/ubi-utils/mtdinfo.c b/ubi-utils/mtdinfo.c
index 7dff0de..12d35eb 100644
--- a/ubi-utils/mtdinfo.c
+++ b/ubi-utils/mtdinfo.c
@@ -185,7 +185,7 @@ static void print_ubi_info(const struct mtd_info 
*mtd_info,
  static void print_region_map(const struct mtd_dev_info *mtd, int fd,
                              const region_info_t *reginfo)
  {
-       unsigned long start;
+       unsigned long long start;
         int i, width;
         int ret_locked, errno_locked, ret_bad, errno_bad;

@@ -203,7 +203,7 @@ static void print_region_map(const struct 
mtd_dev_info *mtd, int fd,
                 ret_locked = ret_bad = errno_locked = errno_bad = 0;

         for (i = 0; i < reginfo->numblocks; ++i) {
-               start = reginfo->offset + i * reginfo->erasesize;
+               start = reginfo->offset + (unsigned long long)i * 
reginfo->erasesize;
                 printf(" %*i: %08lx ", width, i, start);

                 if (ret_locked != -1) {

More information about the linux-mtd mailing list