diff options
author | Theodore Ts'o <tytso@mit.edu> | 2019-11-04 16:43:41 -0500 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2019-11-04 16:43:41 -0500 |
commit | 9bfbf1d5b93388d62a7f0eb498ab30d7a6aab871 (patch) | |
tree | c6b17257d7d0555b8fc594b5c3a0307ced0644a3 | |
parent | 8692a3acf91cb2f0ece33fa44bd351152e481c79 (diff) | |
download | e2fsprogs-9bfbf1d5b93388d62a7f0eb498ab30d7a6aab871.tar.gz |
libext2fs: fix bug when reading or writing more than 2GB in unix_io
If count * block_size exceeds 2GB, we will overflow a 32-bit signed
integer value. This shouldn't happen in practice except for
fuzz-corrupted file systems, but let's fix the code so it's correct.
Bug: https://github.com/tytso/e2fsprogs/issues/24
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-rw-r--r-- | lib/ext2fs/unix_io.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c index 74fc8a75d..628e60c39 100644 --- a/lib/ext2fs/unix_io.c +++ b/lib/ext2fs/unix_io.c @@ -166,7 +166,7 @@ static errcode_t raw_read_blk(io_channel channel, unsigned char *buf = bufv; ssize_t really_read = 0; - size = (count < 0) ? -count : count * channel->block_size; + size = (count < 0) ? -count : (ext2_loff_t) count * channel->block_size; data->io_stats.bytes_read += size; location = ((ext2_loff_t) block * channel->block_size) + data->offset; @@ -275,7 +275,7 @@ static errcode_t raw_write_blk(io_channel channel, if (count < 0) size = -count; else - size = count * channel->block_size; + size = (ext2_loff_t) count * channel->block_size; } data->io_stats.bytes_written += size; |