fs: prevent integer overflow in sqfs_concat

An integer overflow in length calculation could lead to under-allocation and buffer overcopy. Signed-off-by: Timo tp Preißl <[email protected]> Reviewed-by: Tom Rini <[email protected]> Reviewed-by: Simon Glass <[email protected]> Reviewed-by: João Marcos Costa <[email protected]>
author: Timo tp Preißl <[email protected]> 2026-01-09 11:24:59 +0000
committer: Tom Rini <[email protected]> 2026-01-16 13:04:40 -0600
commit: 870aff99a279ed428c5a2560b2441b3079ddb34b (patch)
tree: 5b6cb30d845f11b66321dafbb61e035d7f43d4ed /fs
parent: c8f0294285f6588322363e1711bc57118e6fc9a3 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 4d3d83b7587..f668c26472e 100644
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -255,10 +255,14 @@ static char *sqfs_concat_tokens(char **token_list, int token_count)
 {
 	char *result;
 	int i, length = 0, offset = 0;
+	size_t alloc;
 
 	length = sqfs_get_tokens_length(token_list, token_count);
 
-	result = malloc(length + 1);
+	if (__builtin_add_overflow(length, 1, &alloc))
+		return 0;
+
+	result = malloc(alloc);
 	if (!result)
 		return NULL;
author	Timo tp Preißl <[email protected]>	2026-01-09 11:24:59 +0000
committer	Tom Rini <[email protected]>	2026-01-16 13:04:40 -0600
commit	870aff99a279ed428c5a2560b2441b3079ddb34b (patch)
tree	5b6cb30d845f11b66321dafbb61e035d7f43d4ed /fs
parent	c8f0294285f6588322363e1711bc57118e6fc9a3 (diff)