fs/tmpfs: fix an integer overflow

newsize = newsize + CONFIG_FS_TMPFS_FILE_ALLOCGUARD; When newsize is a large value, adding a relatively small value can cause the result to become very small, resulting in program logic errors. For example: 0xffffffff + 0x2 = 1 Signed-off-by: hujun5 <hujun5@xiaomi.com>
2025-01-13 07:28:38 +08:00 · 2023-10-24 14:12:36 +08:00 · 2023-10-24 14:12:36 +08:00 · b2e6d7b9d7
commit b2e6d7b9d7
parent be32247e73
1 changed files with 6 additions and 0 deletions
--- a/fs/tmpfs/fs_tmpfs.c
+++ b/fs/tmpfs/fs_tmpfs.c
@ -298,6 +298,12 @@ static int tmpfs_realloc_file(FAR struct tmpfs_file_s *tfo,
   */

  allocsize = newsize + CONFIG_FS_TMPFS_FILE_ALLOCGUARD;
+  if (allocsize < newsize)
+    {
+      /* There must have been an integer overflow */
+
+      return -ENOMEM;
+    }

  /* Realloc the file object */