On Fri, 09 Aug 2024 11:54:28 +0200, Richard Weinberger wrote: > While zalloc() takes a size_t type, adding 1 to the le32 variable > will overflow. > A carefully crafted ext4 filesystem can exhibit an inode size of 0xffffffff > and as consequence zalloc() will do a zero allocation. > > Later in the function the inode size is again used for copying data. > So an attacker can overwrite memory. > > [...]
Applied to u-boot/next, thanks! -- Tom
