# Extended 5.8 — imageAccess.c: sz * count overflow before fread / fwrite

Bug ref      : pharo.md §5.8
Severity     : MEDIUM (small bytesToRead → loop ends early on huge requested reads)
File         : src/imageAccess.c
Lines (HEAD) : 78, 136 (`basicImageFileRead`, `basicImageFileWrite`)

## Problem

```c
size_t bytesToRead = sz * count;
```

`sz` and `count` are `size_t`, but the multiply can still wrap on
32-bit systems if both operands are large. `bytesToRead` then
disagrees with what `fread(initialPtr, sz, count, …)` actually
reads, and the surrounding chunked-read logic uses the truncated
value.

## Fix

Detect overflow with the standard divide-back pattern.

```diff
--- a/src/imageAccess.c
+++ b/src/imageAccess.c
@@ -75,9 +75,15 @@
 size_t basicImageFileRead(void * initialPtr, size_t sz, size_t count, sqImageFile f){
 
 	size_t readBytes = 0;
-	size_t bytesToRead = sz * count;
+	size_t bytesToRead;
 	size_t lastReadBytes = 0;
 	size_t chunkToRead = 0;
 	size_t remainingBytes = 0;
 	char* currentPtr = initialPtr;
+
+	if (sz != 0 && count > SIZE_MAX / sz) {
+		logError("basicImageFileRead: sz * count overflows (sz=%zu count=%zu)", sz, count);
+		return 0;
+	}
+	bytesToRead = sz * count;
 
 	if(bytesToRead <= CHUNK_SIZE){

```

Apply the same check at line 136 in `basicImageFileWrite`.

## Test plan

- 32-bit build: call basicImageFileRead with `sz = 0x80000000`,
  `count = 2`. Before: bytesToRead wraps. After: function returns
  0 with an error log.

## Risk notes

- Multiply-overflow checks are standard libc-style.