| Message ID | 20241217124422.245489-1-ant.v.moryakov@gmail.com |
|---|---|
| State | Rejected |
| Delegated to: | David Oberhollenzer |
| Headers | show |
| Series | [mtd-utils] misc-utils: Fix integer overflow in docfdisk.c | expand |
在 2024/12/17 20:44, Anton Moryakov 写道: > Report of the static analyzer: > Possible integer underflow: left operand is tainted. An integer underflow may occur due to arithmetic operation (subtraction) between variable 'block' and value '1', when 'block' is tainted { [-2147483648, 2147483647] } > > Corrections explained: > Added the block <= 0 check, which prevents integer underflow when calculating block - 1 and ensures that block is always positive. > > Triggers found by static analyzer Svace. > > Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> > > --- > misc-utils/docfdisk.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/misc-utils/docfdisk.c b/misc-utils/docfdisk.c > index 486ce29..e473ceb 100644 > --- a/misc-utils/docfdisk.c > +++ b/misc-utils/docfdisk.c > @@ -255,6 +255,10 @@ int main(int argc, char **argv) > ip->firstUnit = cpu_to_le32(block); > if (!nblocks[i]) > nblocks[i] = totblocks - block; > + if (block <= 0) { > + fprintf(stderr, "Error: Invalid block value (%d). Block must be greater than 0.\n", block); > + return -1; > + } In the previous code, 'block' is already initialized as: block = mhoffs / unitsize; block++; So I don't think underflow could happen. > ip->virtualUnits = cpu_to_le32(nblocks[i]); > block += nblocks[i]; > ip->lastUnit = cpu_to_le32(block-1); >
diff --git a/misc-utils/docfdisk.c b/misc-utils/docfdisk.c index 486ce29..e473ceb 100644 --- a/misc-utils/docfdisk.c +++ b/misc-utils/docfdisk.c @@ -255,6 +255,10 @@ int main(int argc, char **argv) ip->firstUnit = cpu_to_le32(block); if (!nblocks[i]) nblocks[i] = totblocks - block; + if (block <= 0) { + fprintf(stderr, "Error: Invalid block value (%d). Block must be greater than 0.\n", block); + return -1; + } ip->virtualUnits = cpu_to_le32(nblocks[i]); block += nblocks[i]; ip->lastUnit = cpu_to_le32(block-1);
Report of the static analyzer: Possible integer underflow: left operand is tainted. An integer underflow may occur due to arithmetic operation (subtraction) between variable 'block' and value '1', when 'block' is tainted { [-2147483648, 2147483647] } Corrections explained: Added the block <= 0 check, which prevents integer underflow when calculating block - 1 and ensures that block is always positive. Triggers found by static analyzer Svace. Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com> --- misc-utils/docfdisk.c | 4 ++++ 1 file changed, 4 insertions(+)