jffsX-utils: fix integer overflow in jffs2dump.c

Report of the static analyzer:
The value of an arithmetic expression 'datsize + oobsize' is a subject to overflow because its operands are not cast to a larger data type before performing arithmetic.

Corrections explained:
- Added a check to validate datsize and oobsize to ensure they are non-negative and within a safe range.
- Cast datsize and oobsize to long before performing arithmetic to prevent potential integer overflow.

This change ensures safe computation of offsets and prevents undefined behavior caused by overflow.

Signed-off-by: Anton Moryakov <ant.v.moryakov@gmail.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>

diff --git a/jffsX-utils/jffs2dump.c b/jffsX-utils/jffs2dump.c
index 30455ea479af0d440deb37132bd31c7122bc1a3b..b757ebe355392d9a640b079b18c28602b0b14a25 100644 (file)
--- a/jffsX-utils/jffs2dump.c
+++ b/jffsX-utils/jffs2dump.c
@@ -772,6 +772,13 @@ int main(int argc, char **argv)
                exit(EXIT_FAILURE);
        }
 
+       if (datsize < 0 || oobsize < 0 || datsize > imglen || (long)datsize + oobsize < 0) {
+               fprintf(stderr, "Error: invalid datsize/oobsize.\n");
+               free(data);
+               close (fd);
+               exit(EXIT_FAILURE);
+       }
+
        if (datsize && oobsize) {
                int  idx = 0;
                long len = imglen;
@@ -783,7 +790,7 @@ int main(int argc, char **argv)
                        read_nocheck (fd, oob, oobsize);
                        idx += datsize;
                        imglen -= oobsize;
-                       len -= datsize + oobsize;
+                       len -= (long)datsize + oobsize;
                }
 
        } else {