libext2fs: fix bug when reading or writing more than 2GB in unix_io

If count * block_size exceeds 2GB, we will overflow a 32-bit signed
integer value.  This shouldn't happen in practice except for
fuzz-corrupted file systems, but let's fix the code so it's correct.

Bug: https://github.com/tytso/e2fsprogs/issues/24
Signed-off-by: Theodore Ts'o <tytso@mit.edu>

diff --git a/lib/ext2fs/unix_io.c b/lib/ext2fs/unix_io.c
index 74fc8a75df7170f5c1e19a3693e8f19a639cb861..628e60c39eaf1400ea2dbbd5898262f077ba127d 100644 (file)
--- a/lib/ext2fs/unix_io.c
+++ b/lib/ext2fs/unix_io.c
@@ -166,7 +166,7 @@ static errcode_t raw_read_blk(io_channel channel,
        unsigned char   *buf = bufv;
        ssize_t         really_read = 0;
 
-       size = (count < 0) ? -count : count * channel->block_size;
+       size = (count < 0) ? -count : (ext2_loff_t) count * channel->block_size;
        data->io_stats.bytes_read += size;
        location = ((ext2_loff_t) block * channel->block_size) + data->offset;
 
@@ -275,7 +275,7 @@ static errcode_t raw_write_blk(io_channel channel,
                if (count < 0)
                        size = -count;
                else
-                       size = count * channel->block_size;
+                       size = (ext2_loff_t) count * channel->block_size;
        }
        data->io_stats.bytes_written += size;