On Wed, 31 Dec 2025 at 06:18, Timo tp Preißl <[email protected]> wrote: > > An integer overflow in size calculations could lead to > under-allocation and potential heap buffer overflow. > > Signed-off-by: Timo tp Preißl <[email protected]> > --- > fs/fs.c | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-)
Reviewed-by: Simon Glass <[email protected]> > > diff --git a/fs/fs.c b/fs/fs.c > index c7706d9af85..319c55c440a 100644 > --- a/fs/fs.c > +++ b/fs/fs.c > @@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, > char *const argv[], > */ > if (dirs) { > char *src_name = strrchr(src, '/'); > - int dst_len; > > if (src_name) > src_name += 1; > else > src_name = src; > > - dst_len = strlen(dst); > - new_dst = calloc(1, dst_len + strlen(src_name) + 2); > + size_t dst_len = strlen(dst); > + size_t src_len = strlen(src_name); > + size_t total; > + > + if (__builtin_add_overflow(dst_len, src_len, &total) || > + __builtin_add_overflow(total, 2, &total)) { > + return 0; > + } > + > + new_dst = calloc(1, total); > + if (!new_dst) > + return 0; > + > strcpy(new_dst, dst); > > /* If there is already a trailing slash, don't add another */ > -- > 2.43.0 > >
