fs: prevent integer overflow in fs.c do_mv

An integer overflow in size calculations could lead to
under-allocation and potential heap buffer overflow.

Signed-off-by: Timo tp Preißl <t.preissl@proton.me>
Reviewed-by: Simon Glass <simon.glass@canonical.com>
Reviewed-by: Tom Rini <trini@konsulko.com>

diff --git a/fs/fs.c b/fs/fs.c
index c7706d9af859ef46c38bcc4e5741cc9a4b3d4179..319c55c440aaffb8e59975fa6ea0c06e98cc894f 100644 (file)
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[],
         */
        if (dirs) {
                char *src_name = strrchr(src, '/');
-               int dst_len;
 
                if (src_name)
                        src_name += 1;
                else
                        src_name = src;
 
-               dst_len = strlen(dst);
-               new_dst = calloc(1, dst_len + strlen(src_name) + 2);
+               size_t dst_len = strlen(dst);
+               size_t src_len = strlen(src_name);
+               size_t total;
+
+               if (__builtin_add_overflow(dst_len, src_len, &total) ||
+                   __builtin_add_overflow(total, 2, &total)) {
+                       return 0;
+               }
+
+               new_dst = calloc(1, total);
+               if (!new_dst)
+                       return 0;
+
                strcpy(new_dst, dst);
 
                /* If there is already a trailing slash, don't add another */