Hi Timo, On Wed, 31 Dec 2025 at 06:19, Timo tp Preißl <[email protected]> wrote: > > An integer overflow in length calculation could lead to > under-allocation and buffer overcopy. > > Signed-off-by: Timo tp Preißl <[email protected]> > --- > fs/squashfs/sqfs.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c > index 4d3d83b7587..1dc63257fb9 100644 > --- a/fs/squashfs/sqfs.c > +++ b/fs/squashfs/sqfs.c > @@ -254,11 +254,15 @@ static int sqfs_get_tokens_length(char **tokens, int > count) > static char *sqfs_concat_tokens(char **token_list, int token_count) > { > char *result; > - int i, length = 0, offset = 0; > + size_t i, length = 0, offset = 0; > + size_t alloc; >
token_count is an int, so I think 'i' should stay as one? > length = sqfs_get_tokens_length(token_list, token_count); > > - result = malloc(length + 1); > + if (__builtin_add_overflow(length, 1, &alloc)) > + return 0; > + > + result = malloc(alloc); > if (!result) > return NULL; > > -- > 2.43.0 > > Regards, Simon
