From 91c4d1affdba02a323dc2c7caccabe240ccb8302 Mon Sep 17 00:00:00 2001
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 19 Mar 2025 11:12:33 +0900
Subject: [PATCH] nspawn-oci: update overflow check

Fixes CID#1548072.
---
 src/nspawn/nspawn-oci.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/nspawn/nspawn-oci.c b/src/nspawn/nspawn-oci.c
index ecbcaefcbb1..923e20b5c03 100644
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@@ -700,8 +700,8 @@ static int oci_uid_gid_mappings(const char *name, sd_json_variant *v, sd_json_di
         if (r < 0)
                 return r;
 
-        if (data.host_id + data.range < data.host_id ||
-            data.container_id + data.range < data.container_id)
+        if (data.range > UINT32_MAX - data.host_id ||
+            data.range > UINT32_MAX - data.container_id)
                 return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
                                 "UID/GID range goes beyond UID/GID validity range, refusing.");
 
-- 
2.47.3