From: Utkal Singh <singhutkal015@gmail.com>
To: hsiangkao@linux.alibaba.com
Cc: linux-erofs@lists.ozlabs.org, Utkal Singh <singhutkal015@gmail.com>
Subject: [PATCH 2/2] erofs-utils: lib: fix decodedcapacity integer overflow in inflate partial
Date: Sun, 15 Mar 2026 07:27:01 +0000 [thread overview]
Message-ID: <20260315072701.17090-2-singhutkal015@gmail.com> (raw)
In-Reply-To: <20260315072701.17090-1-singhutkal015@gmail.com>
decodedcapacity is declared as 'unsigned int' (32 bits). Two code
paths can silently overflow it and corrupt the heap:
1. The initial assignment shifts rq->decodedlength left by 4 bits
when partial_decoding is set. Values exceeding UINT_MAX >> 4
wrap to a small integer, causing malloc() to allocate an
undersized buffer; a subsequent write overflows the heap.
2. The doubling loop left-shifts decodedcapacity by 1. Once it
exceeds UINT_MAX >> 1 the result wraps to 0. On glibc,
realloc(ptr, 0) returns a valid non-NULL pointer; the next
write into that buffer is a silent heap overflow.
Fix both sites: change the type to size_t, cast rq->decodedlength
to size_t before the initial shift to force 64-bit arithmetic, and
add a guard before the doubling shift that returns -EFSCORRUPTED
via out_inflate_end when the value would overflow SIZE_MAX.
Signed-off-by: Utkal Singh <singhutkal015@gmail.com>
---
lib/decompress.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/lib/decompress.c b/lib/decompress.c
index f87efd5..ff703ae 100644
--- a/lib/decompress.c
+++ b/lib/decompress.c
@@ -4,6 +4,7 @@
* Created by Huang Jianan <huangjianan@oppo.com>
*/
#include <stdlib.h>
+#include <stdint.h>
#include "erofs/decompress.h"
#include "erofs/err.h"
@@ -251,13 +252,13 @@ static int z_erofs_decompress_deflate(struct z_erofs_decompress_req *rq)
unsigned int inputmargin;
struct libdeflate_decompressor *inf;
enum libdeflate_result ret;
- unsigned int decodedcapacity;
+ size_t decodedcapacity;
inputmargin = z_erofs_fixup_insize(src, rq->inputsize);
if (inputmargin >= rq->inputsize)
return -EFSCORRUPTED;
- decodedcapacity = rq->decodedlength << (4 * rq->partial_decoding);
+ decodedcapacity = (size_t)rq->decodedlength << (4 * rq->partial_decoding);
if (rq->decodedskip || rq->partial_decoding) {
buff = malloc(decodedcapacity);
if (!buff)
@@ -287,7 +288,12 @@ static int z_erofs_decompress_deflate(struct z_erofs_decompress_req *rq)
ret = -EFSCORRUPTED;
goto out_inflate_end;
}
- decodedcapacity = decodedcapacity << 1;
+ if (decodedcapacity > SIZE_MAX >> 1) {
+ erofs_err("inflate: decompression buffer overflow");
+ ret = -EFSCORRUPTED;
+ goto out_inflate_end;
+ }
+ decodedcapacity <<= 1;
dest = realloc(buff, decodedcapacity);
if (!dest) {
ret = -ENOMEM;
--
2.43.0
prev parent reply other threads:[~2026-03-15 7:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 7:27 [PATCH 1/2] erofs-utils: lib: add capacity ceiling in deflate partial decompression Utkal Singh
2026-03-15 7:27 ` Utkal Singh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260315072701.17090-2-singhutkal015@gmail.com \
--to=singhutkal015@gmail.com \
--cc=hsiangkao@linux.alibaba.com \
--cc=linux-erofs@lists.ozlabs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox