diff options
author | Dan Carpenter <error27@gmail.com> | 2010-03-15 04:21:13 -0400 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2010-04-08 09:35:20 -0400 |
commit | 69ecbbedac8e353bbd924fad16fed0c7c54e6382 (patch) | |
tree | f008c3ad0750585ea3d403718251922f215cb626 | |
parent | 0fdf86754f70e813845af4abaa805165ce57a0bb (diff) |
udf: potential integer overflow
bloc->logicalBlockNum is unsigned so it's never less than zero.
When I saw that, it made me worry that "bloc->logicalBlockNum + count"
could overflow. That's why I changed the check for less than zero
to an overflow check. (The test works because "count" is also
unsigned.)
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
-rw-r--r-- | fs/udf/balloc.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/fs/udf/balloc.c b/fs/udf/balloc.c index 19626e2491c4..9a9378b4eb5a 100644 --- a/fs/udf/balloc.c +++ b/fs/udf/balloc.c | |||
@@ -125,9 +125,8 @@ static void udf_bitmap_free_blocks(struct super_block *sb, | |||
125 | 125 | ||
126 | mutex_lock(&sbi->s_alloc_mutex); | 126 | mutex_lock(&sbi->s_alloc_mutex); |
127 | partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; | 127 | partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; |
128 | if (bloc->logicalBlockNum < 0 || | 128 | if (bloc->logicalBlockNum + count < count || |
129 | (bloc->logicalBlockNum + count) > | 129 | (bloc->logicalBlockNum + count) > partmap->s_partition_len) { |
130 | partmap->s_partition_len) { | ||
131 | udf_debug("%d < %d || %d + %d > %d\n", | 130 | udf_debug("%d < %d || %d + %d > %d\n", |
132 | bloc->logicalBlockNum, 0, bloc->logicalBlockNum, | 131 | bloc->logicalBlockNum, 0, bloc->logicalBlockNum, |
133 | count, partmap->s_partition_len); | 132 | count, partmap->s_partition_len); |
@@ -393,9 +392,8 @@ static void udf_table_free_blocks(struct super_block *sb, | |||
393 | 392 | ||
394 | mutex_lock(&sbi->s_alloc_mutex); | 393 | mutex_lock(&sbi->s_alloc_mutex); |
395 | partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; | 394 | partmap = &sbi->s_partmaps[bloc->partitionReferenceNum]; |
396 | if (bloc->logicalBlockNum < 0 || | 395 | if (bloc->logicalBlockNum + count < count || |
397 | (bloc->logicalBlockNum + count) > | 396 | (bloc->logicalBlockNum + count) > partmap->s_partition_len) { |
398 | partmap->s_partition_len) { | ||
399 | udf_debug("%d < %d || %d + %d > %d\n", | 397 | udf_debug("%d < %d || %d + %d > %d\n", |
400 | bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count, | 398 | bloc->logicalBlockNum, 0, bloc->logicalBlockNum, count, |
401 | partmap->s_partition_len); | 399 | partmap->s_partition_len); |