[PATCH] misc-utils: docfdisk.c: validate partition size to prevent arithmetic overflow

[Anton Moryakov]

report of the static analyzer:
Possible integer overflow: right operand is tainted.
An integer overflow may occur due to arithmetic operation (addition)
between variable 'block' and value { [1, 4294967295] } of 'nblocks[i]',
when 'block' is equal to '1'

correct explained:
Added bounds check before incrementing block counter to ensure that
adding nblocks[i] does not exceed totblocks. This prevents potential
integer overflow when user-specified partition sizes are too large,
which could lead to incorrect partition table layout and device corruption.
The validation ensures safe arithmetic by checking block + nblocks[i] <= totblocks
using unsigned comparison.

Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
---
 misc-utils/docfdisk.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/misc-utils/docfdisk.c b/misc-utils/docfdisk.c
index 486ce29..df070b2 100644
--- a/misc-utils/docfdisk.c
+++ b/misc-utils/docfdisk.c
@@ -255,6 +255,10 @@ int main(int argc, char **argv)
 		ip->firstUnit = cpu_to_le32(block);
 		if (!nblocks[i])
 			nblocks[i] = totblocks - block;
+		if (nblocks[i] > totblocks || block > totblocks - nblocks[i]) {
+			printf("Requested partition size exceeds available device space.\n");
+        	return 1;
+    	}
 		ip->virtualUnits = cpu_to_le32(nblocks[i]);
 		block += nblocks[i];
 		ip->lastUnit = cpu_to_le32(block-1);
-- 
2.39.2