fs: prevent integer overflow in sqfs_concat

An integer overflow in length calculation could lead to
under-allocation and buffer overcopy.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Tom Rini <trini@konsulko.com>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: João Marcos Costa <joaomarcos.costa@bootlin.com>

diff --git a/fs/squashfs/sqfs.c b/fs/squashfs/sqfs.c
index 4d3d83b75873f4d66f2dbd544ae6715f66f5d289..f668c26472eb4aaae6a570854e6336009e0860d4 100644 (file)
--- a/fs/squashfs/sqfs.c
+++ b/fs/squashfs/sqfs.c
@@ -255,10 +255,14 @@ static char *sqfs_concat_tokens(char **token_list, int token_count)
 {
        char *result;
        int i, length = 0, offset = 0;
+       size_t alloc;
 
        length = sqfs_get_tokens_length(token_list, token_count);
 
-       result = malloc(length + 1);
+       if (__builtin_add_overflow(length, 1, &alloc))
+               return 0;
+
+       result = malloc(alloc);
        if (!result)
                return NULL;