Commit 69ecbbed authored by Dan Carpenter's avatar Dan Carpenter Committed by Jan Kara

udf: potential integer overflow

bloc->logicalBlockNum is unsigned so it's never less than zero.

When I saw that, it made me worry that "bloc->logicalBlockNum + count"
could overflow.  That's why I changed the check for less than zero
to an overflow check.  (The test works because "count" is also
unsigned.)
Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent 0fdf8675
...@@ -125,9 +125,8 @@ static void udf_bitmap_free_blocks(struct super_block *sb, ...@@ -125,9 +125,8 @@ static void udf_bitmap_free_blocks(struct super_block *sb,
mutex_lock(&sbi->s_alloc_mutex); mutex_lock(&sbi->s_alloc_mutex);
partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
if (bloc->logicalBlockNum < 0 || if (bloc->logicalBlockNum + count < count ||
(bloc->logicalBlockNum + count) > (bloc->logicalBlockNum + count) > partmap->s_partition_len) {
partmap->s_partition_len) {
udf_debug("%d < %d || %d + %d > %d\n", udf_debug("%d < %d || %d + %d > %d\n",
bloc->logicalBlockNum, 0, bloc->logicalBlockNum, bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
count, partmap->s_partition_len); count, partmap->s_partition_len);
...@@ -393,9 +392,8 @@ static void udf_table_free_blocks(struct super_block *sb, ...@@ -393,9 +392,8 @@ static void udf_table_free_blocks(struct super_block *sb,
mutex_lock(&sbi->s_alloc_mutex); mutex_lock(&sbi->s_alloc_mutex);
partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
if (bloc->logicalBlockNum < 0 || if (bloc->logicalBlockNum + count < count ||
(bloc->logicalBlockNum + count) > (bloc->logicalBlockNum + count) > partmap->s_partition_len) {
partmap->s_partition_len) {
udf_debug("%d < %d || %d + %d > %d\n", udf_debug("%d < %d || %d + %d > %d\n",
bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count, bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count,
partmap->s_partition_len); partmap->s_partition_len);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment