Patchwork [v2,08/10] mtd-utils: nandwrite: prevent 32-bit overflow

login
register
mail settings
Submitter Brian Norris
Date Nov. 11, 2010, 6:31 a.m.
Message ID <1289457101-24040-1-git-send-email-computersforpeace@gmail.com>
Download mbox | patch
Permalink /patch/70777/
State Accepted
Commit a188ff405000902139a46d9e3753cae0e1168d46
Headers show

Comments

Brian Norris - Nov. 11, 2010, 6:31 a.m.
For large block- and page-sizes, the multiplication of ebsize_aligned
and pagelen can overflow a 32-bit integer.  This overflow can be
prevented by a simple change in order of operations (i.e., do division
first).

Since ebsize_aligned is always a multiple of mtd.min_io_size, this
produces no change in results.

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
---
 nandwrite.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

Patch

diff --git a/nandwrite.c b/nandwrite.c
index 8ec5afe..aea7572 100644
--- a/nandwrite.c
+++ b/nandwrite.c
@@ -440,8 +440,13 @@  int main(int argc, char * const argv[])
 		goto closeall;
 	}
 
-	// Allocate a buffer big enough to contain all the data (OOB included) for one eraseblock
-	filebuf_max = pagelen * ebsize_aligned / mtd.min_io_size;
+	/*
+	 * Allocate a buffer big enough to contain all the data (OOB included)
+	 * for one eraseblock. The order of operations here matters; if ebsize
+	 * and pagelen are large enough, then "ebsize_aligned * pagelen" could
+	 * overflow a 32-bit data type.
+	 */
+	filebuf_max = ebsize_aligned / mtd.min_io_size * pagelen;
 	filebuf = xmalloc(filebuf_max);
 	erase_buffer(filebuf, filebuf_max);