From 51ec71d98523794b61381bae4cb53a0f09d06437 Mon Sep 17 00:00:00 2001 From: Vladislav Shchapov Date: Sat, 17 Jan 2026 18:46:50 +0500 Subject: Fix integer overflow in gz_compress_mmap Signed-off-by: Vladislav Shchapov --- test/fuzz/fuzzer_minigzip.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) (limited to 'test/fuzz') diff --git a/test/fuzz/fuzzer_minigzip.c b/test/fuzz/fuzzer_minigzip.c index 6e38881962..3f58f4a299 100644 --- a/test/fuzz/fuzzer_minigzip.c +++ b/test/fuzz/fuzzer_minigzip.c @@ -70,26 +70,27 @@ static void error(const char *msg) { * success, Z_ERRNO otherwise. */ static int gz_compress_mmap(FILE *in, gzFile out) { - int len; int err; int ifd = fileno(in); - char *buf; /* mmap'ed buffer for the entire input file */ - off_t buf_len; /* length of the input file */ + void *buf; /* mmap'ed buffer for the entire input file */ + size_t buf_len; /* length of the input file */ + size_t len; struct stat sb; /* Determine the size of the file, needed for mmap: */ if (fstat(ifd, &sb) < 0) return Z_ERRNO; - buf_len = sb.st_size; - if (buf_len <= 0) return Z_ERRNO; + /* Check size_t overflow */ + if (sb.st_size <= 0 || sb.st_size > PTRDIFF_MAX) return Z_ERRNO; + buf_len = (size_t)sb.st_size; /* Now do the actual mmap: */ - buf = mmap((void *)0, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0); - if (buf == (char *)(-1)) return Z_ERRNO; + buf = mmap(NULL, buf_len, PROT_READ, MAP_SHARED, ifd, (off_t)0); + if (buf == MAP_FAILED) return Z_ERRNO; /* Compress the whole file at once: */ - len = PREFIX(gzwrite)(out, (char *)buf, (unsigned)buf_len); + len = PREFIX(gzfwrite)(buf, 1, buf_len, out); - if (len != (int)buf_len) error(PREFIX(gzerror)(out, &err)); + if (len != buf_len) error(PREFIX(gzerror)(out, &err)); munmap(buf, buf_len); fclose(in); -- cgit 0.0.5-2-1-g0f52