From b2e6d7b9d70ce2f9e1f395d06f84a655f0ca5a54 Mon Sep 17 00:00:00 2001
From: hujun5 <hujun5@xiaomi.com>
Date: Tue, 24 Oct 2023 14:12:36 +0800
Subject: [PATCH] fs/tmpfs: fix an integer overflow

newsize = newsize + CONFIG_FS_TMPFS_FILE_ALLOCGUARD;

When newsize is a large value,
adding a relatively small value can cause the result to become very small,
resulting in program logic errors.
For example:
0xffffffff + 0x2 = 1

Signed-off-by: hujun5 <hujun5@xiaomi.com>
---
 fs/tmpfs/fs_tmpfs.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/tmpfs/fs_tmpfs.c b/fs/tmpfs/fs_tmpfs.c
index 98995a39ba..01fae27f5a 100644
--- a/fs/tmpfs/fs_tmpfs.c
+++ b/fs/tmpfs/fs_tmpfs.c
@@ -298,6 +298,12 @@ static int tmpfs_realloc_file(FAR struct tmpfs_file_s *tfo,
    */
 
   allocsize = newsize + CONFIG_FS_TMPFS_FILE_ALLOCGUARD;
+  if (allocsize < newsize)
+    {
+      /* There must have been an integer overflow */
+
+      return -ENOMEM;
+    }
 
   /* Realloc the file object */