mtd-utils: nandwrite: prevent 32-bit overflow

For large block- and page-sizes, the multiplication of ebsize_aligned
and pagelen can overflow a 32-bit integer.  This overflow can be
prevented by a simple change in order of operations (i.e., do division
first).

Since ebsize_aligned is always a multiple of mtd.min_io_size, this
produces no change in results.

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>

diff --git a/nandwrite.c b/nandwrite.c
index 8ec5afeb4e9feb5596c382d60bd6f43add566eb4..aea7572241f58d84c03046ec0162780b60f558fb 100644 (file)
--- a/nandwrite.c
+++ b/nandwrite.c
@@ -440,8 +440,13 @@ int main(int argc, char * const argv[])
                goto closeall;
        }
 
-       // Allocate a buffer big enough to contain all the data (OOB included) for one eraseblock
-       filebuf_max = pagelen * ebsize_aligned / mtd.min_io_size;
+       /*
+        * Allocate a buffer big enough to contain all the data (OOB included)
+        * for one eraseblock. The order of operations here matters; if ebsize
+        * and pagelen are large enough, then "ebsize_aligned * pagelen" could
+        * overflow a 32-bit data type.
+        */
+       filebuf_max = ebsize_aligned / mtd.min_io_size * pagelen;
        filebuf = xmalloc(filebuf_max);
        erase_buffer(filebuf, filebuf_max);