An integer overflow in size calculations could lead to under-allocation and potential heap buffer overflow.
Signed-off-by: Timo tp Preißl <[email protected]> --- fs/fs.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/fs/fs.c b/fs/fs.c index c7706d9af85..319c55c440a 100644 --- a/fs/fs.c +++ b/fs/fs.c @@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[], */ if (dirs) { char *src_name = strrchr(src, '/'); - int dst_len; if (src_name) src_name += 1; else src_name = src; - dst_len = strlen(dst); - new_dst = calloc(1, dst_len + strlen(src_name) + 2); + size_t dst_len = strlen(dst); + size_t src_len = strlen(src_name); + size_t total; + + if (__builtin_add_overflow(dst_len, src_len, &total) || + __builtin_add_overflow(total, 2, &total)) { + return 0; + } + + new_dst = calloc(1, total); + if (!new_dst) + return 0; + strcpy(new_dst, dst); /* If there is already a trailing slash, don't add another */ -- 2.43.0
