|
 |
a9c310 |
From b989de221a8399d42aede6da03297cad3330f12a Mon Sep 17 00:00:00 2001
|
|
|
a9c310 |
From: Theodore Ts'o <tytso@mit.edu>
|
|
|
a9c310 |
Date: Mon, 4 Nov 2019 16:43:41 -0500
|
|
|
a9c310 |
Subject: [PATCH 01/10] libext2fs: fix bug when reading or writing more than
|
|
|
a9c310 |
2GB in unix_io
|
|
|
a9c310 |
|
|
|
a9c310 |
If count * block_size exceeds 2GB, we will overflow a 32-bit signed
|
|
|
a9c310 |
integer value. This shouldn't happen in practice except for
|
|
|
a9c310 |
fuzz-corrupted file systems, but let's fix the code so it's correct.
|
|
|
a9c310 |
|
|
|
a9c310 |
Bug: https://github.com/tytso/e2fsprogs/issues/24
|
|
|
a9c310 |
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
|
|
|
a9c310 |
---
|
|
|
a9c310 |
lib/ext2fs/unix_io.c | 4 ++--
|
|
|
a9c310 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
a9c310 |
|
|
|
a9c310 |
diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c
|
|
|
a9c310 |
index 74fc8a75..628e60c3 100644
|
|
|
a9c310 |
--- a/lib/ext2fs/unix_io.c
|
|
|
a9c310 |
+++ b/lib/ext2fs/unix_io.c
|
|
|
a9c310 |
@@ -166,7 +166,7 @@ static errcode_t raw_read_blk(io_channel channel,
|
|
|
a9c310 |
unsigned char *buf = bufv;
|
|
|
a9c310 |
ssize_t really_read = 0;
|
|
|
a9c310 |
|
|
|
a9c310 |
- size = (count < 0) ? -count : count * channel->block_size;
|
|
|
a9c310 |
+ size = (count < 0) ? -count : (ext2_loff_t) count * channel->block_size;
|
|
|
a9c310 |
data->io_stats.bytes_read += size;
|
|
|
a9c310 |
location = ((ext2_loff_t) block * channel->block_size) + data->offset;
|
|
|
a9c310 |
|
|
|
a9c310 |
@@ -275,7 +275,7 @@ static errcode_t raw_write_blk(io_channel channel,
|
|
|
a9c310 |
if (count < 0)
|
|
|
a9c310 |
size = -count;
|
|
|
a9c310 |
else
|
|
|
a9c310 |
- size = count * channel->block_size;
|
|
|
a9c310 |
+ size = (ext2_loff_t) count * channel->block_size;
|
|
|
a9c310 |
}
|
|
|
a9c310 |
data->io_stats.bytes_written += size;
|
|
|
a9c310 |
|
|
|
a9c310 |
--
|
|
|
a9c310 |
2.21.1
|
|
|
a9c310 |
|