libext2fs: fix bug when reading or writing more than 2GB in unix_io

If count * block_size exceeds 2GB, we will overflow a 32-bit signed integer value. This shouldn't happen in practice except for fuzz-corrupted file systems, but let's fix the code so it's correct. Bug: https://github.com/tytso/e2fsprogs/issues/24 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
author: Theodore Ts'o <tytso@mit.edu> 2019-11-04 16:43:41 -0500
committer: Theodore Ts'o <tytso@mit.edu> 2019-11-04 16:43:41 -0500
commit: 9bfbf1d5b93388d62a7f0eb498ab30d7a6aab871 (patch)
tree: c6b17257d7d0555b8fc594b5c3a0307ced0644a3
parent: 8692a3acf91cb2f0ece33fa44bd351152e481c79 (diff)
download: e2fsprogs-9bfbf1d5b93388d62a7f0eb498ab30d7a6aab871.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c
index 74fc8a75d..628e60c39 100644
--- a/lib/ext2fs/unix_io.c
+++ b/lib/ext2fs/unix_io.c
@@ -166,7 +166,7 @@ static errcode_t raw_read_blk(io_channel channel,
 	unsigned char	*buf = bufv;
 	ssize_t		really_read = 0;
 
-	size = (count < 0) ? -count : count * channel->block_size;
+	size = (count < 0) ? -count : (ext2_loff_t) count * channel->block_size;
 	data->io_stats.bytes_read += size;
 	location = ((ext2_loff_t) block * channel->block_size) + data->offset;
 
@@ -275,7 +275,7 @@ static errcode_t raw_write_blk(io_channel channel,
 		if (count < 0)
 			size = -count;
 		else
-			size = count * channel->block_size;
+			size = (ext2_loff_t) count * channel->block_size;
 	}
 	data->io_stats.bytes_written += size;
author	Theodore Ts'o <tytso@mit.edu>	2019-11-04 16:43:41 -0500
committer	Theodore Ts'o <tytso@mit.edu>	2019-11-04 16:43:41 -0500
commit	9bfbf1d5b93388d62a7f0eb498ab30d7a6aab871 (patch)
tree	c6b17257d7d0555b8fc594b5c3a0307ced0644a3
parent	8692a3acf91cb2f0ece33fa44bd351152e481c79 (diff)
download	e2fsprogs-9bfbf1d5b93388d62a7f0eb498ab30d7a6aab871.tar.gz