[PATCH mtd-utils] jffsX-utils: fix integer overflow in jffs2dump.c
Zhihao Cheng
chengzhihao1 at huawei.com
Thu Dec 19 17:14:30 PST 2024
在 2024/12/19 21:46, Anton Moryakov 写道:
> Report of the static analyzer:
> The value of an arithmetic expression 'datsize + oobsize' is a subject to overflow because its operands are not cast to a larger data type before performing arithmetic.
>
> Corrections explained:
> - Added a check to validate datsize and oobsize to ensure they are non-negative and within a safe range.
> - Cast datsize and oobsize to long before performing arithmetic to prevent potential integer overflow.
>
> This change ensures safe computation of offsets and prevents undefined behavior caused by overflow.
>
> Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
> ---
> jffsX-utils/jffs2dump.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/jffsX-utils/jffs2dump.c b/jffsX-utils/jffs2dump.c
> index 30455ea..5b0e144 100644
> --- a/jffsX-utils/jffs2dump.c
> +++ b/jffsX-utils/jffs2dump.c
> @@ -772,6 +772,13 @@ int main(int argc, char **argv)
> exit(EXIT_FAILURE);
> }
>
> + if (datsize < 0 oobsize < 0 datsize > imglen || (long)datsize + oobsize < 0) {
It makes compiling failed, please do the basic tests before sending
patches out.
> + fprintf(stderr, "Error: invalid datsize/oobsize.\n");
> + free(data);
> + close (fd);
> + exit(EXIT_FAILURE);
> + }
> +
> if (datsize && oobsize) {
> int idx = 0;
> long len = imglen;
> @@ -783,7 +790,7 @@ int main(int argc, char **argv)
> read_nocheck (fd, oob, oobsize);
> idx += datsize;
> imglen -= oobsize;
> - len -= datsize + oobsize;
> + len -= (long)datsize + oobsize;
> }
>
> } else {
>
More information about the linux-mtd
mailing list