fs: prevent integer overflow in fs.c do_mv

An integer overflow in size calculations could lead to under-allocation and potential heap buffer overflow. Signed-off-by: Timo tp Preißl <[email protected]> Reviewed-by: Simon Glass <[email protected]> Reviewed-by: Tom Rini <[email protected]>
author: Timo tp Preißl <[email protected]> 2026-01-09 11:24:45 +0000
committer: Tom Rini <[email protected]> 2026-01-16 13:04:40 -0600
commit: 99416665f006b925db12f6c02b11f9da02c10c5a (patch)
tree: 9664a681a2bbd9a290e2dd13976051f99bd2e9bf /fs
parent: 9ac621e671858bf0b80dd26b883f3781cc5acb34 (diff)
1 files changed, 13 insertions, 3 deletions
diff --git a/fs/fs.c b/fs/fs.c
index c7706d9af85..319c55c440a 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[],
 	 */
 	if (dirs) {
 		char *src_name = strrchr(src, '/');
-		int dst_len;
 
 		if (src_name)
 			src_name += 1;
 		else
 			src_name = src;
 
-		dst_len = strlen(dst);
-		new_dst = calloc(1, dst_len + strlen(src_name) + 2);
+		size_t dst_len = strlen(dst);
+		size_t src_len = strlen(src_name);
+		size_t total;
+
+		if (__builtin_add_overflow(dst_len, src_len, &total) ||
+		    __builtin_add_overflow(total, 2, &total)) {
+			return 0;
+		}
+
+		new_dst = calloc(1, total);
+		if (!new_dst)
+			return 0;
+
 		strcpy(new_dst, dst);
 
 		/* If there is already a trailing slash, don't add another */
author	Timo tp Preißl <[email protected]>	2026-01-09 11:24:45 +0000
committer	Tom Rini <[email protected]>	2026-01-16 13:04:40 -0600
commit	99416665f006b925db12f6c02b11f9da02c10c5a (patch)
tree	9664a681a2bbd9a290e2dd13976051f99bd2e9bf /fs
parent	9ac621e671858bf0b80dd26b883f3781cc5acb34 (diff)