From b989de221a8399d42aede6da03297cad3330f12a Mon Sep 17 00:00:00 2001 From: Theodore Ts'o Date: Mon, 4 Nov 2019 16:43:41 -0500 Subject: [PATCH 01/10] libext2fs: fix bug when reading or writing more than 2GB in unix_io If count * block_size exceeds 2GB, we will overflow a 32-bit signed integer value. This shouldn't happen in practice except for fuzz-corrupted file systems, but let's fix the code so it's correct. Bug: https://github.com/tytso/e2fsprogs/issues/24 Signed-off-by: Theodore Ts'o --- lib/ext2fs/unix_io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c index 74fc8a75..628e60c3 100644 --- a/lib/ext2fs/unix_io.c +++ b/lib/ext2fs/unix_io.c @@ -166,7 +166,7 @@ static errcode_t raw_read_blk(io_channel channel, unsigned char *buf = bufv; ssize_t really_read = 0; - size = (count < 0) ? -count : count * channel->block_size; + size = (count < 0) ? -count : (ext2_loff_t) count * channel->block_size; data->io_stats.bytes_read += size; location = ((ext2_loff_t) block * channel->block_size) + data->offset; @@ -275,7 +275,7 @@ static errcode_t raw_write_blk(io_channel channel, if (count < 0) size = -count; else - size = count * channel->block_size; + size = (ext2_loff_t) count * channel->block_size; } data->io_stats.bytes_written += size; -- 2.21.1