An integer overflow in length calculation could lead to under-allocation and buffer overcopy.
Signed-off-by: Timo tp Preißl <[email protected]> --- fs/squashfs/sqfs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c index 4d3d83b7587..1dc63257fb9 100644 --- a/fs/squashfs/sqfs.c +++ b/fs/squashfs/sqfs.c @@ -254,11 +254,15 @@ static int sqfs_get_tokens_length(char **tokens, int count) static char *sqfs_concat_tokens(char **token_list, int token_count) { char *result; - int i, length = 0, offset = 0; + size_t i, length = 0, offset = 0; + size_t alloc; length = sqfs_get_tokens_length(token_list, token_count); - result = malloc(length + 1); + if (__builtin_add_overflow(length, 1, &alloc)) + return 0; + + result = malloc(alloc); if (!result) return NULL; -- 2.43.0
