[pixbuf] Check for unsigned integer overflow on multiplication

Signed-off-by: Michael Brown <mcb30@ipxe.org>
author: Michael Brown 2016-03-12 01:09:23 +0100
committer: Michael Brown 2016-03-12 01:09:23 +0100
commit: 11396473f5878af70b0ec9714a03d81a0c05a771 (patch)
tree: 9640553cc53766b292f796a5ac33d79b71694c23 /src/core/pixbuf.c
parent: [crypto] Allow for zero-length ASN.1 cursors (diff)
download: ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.tar.gz
ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.tar.xz
ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/pixbuf.c b/src/core/pixbuf.c
index 41e18f8d..c12bd3c0 100644
--- a/src/core/pixbuf.c
+++ b/src/core/pixbuf.c
@@ -65,6 +65,10 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
 	pixbuf->height = height;
 	pixbuf->len = ( width * height * sizeof ( uint32_t ) );
 
+	/* Check for multiplication overflow */
+	if ( ( ( pixbuf->len / sizeof ( uint32_t ) ) / width ) != height )
+		goto err_overflow;
+
 	/* Allocate pixel data buffer */
 	pixbuf->data = umalloc ( pixbuf->len );
 	if ( ! pixbuf->data )
@@ -73,6 +77,7 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
 	return pixbuf;
 
  err_alloc_data:
+ err_overflow:
 	pixbuf_put ( pixbuf );
  err_alloc_pixbuf:
 	return NULL;
author	Michael Brown	2016-03-12 01:09:23 +0100
committer	Michael Brown	2016-03-12 01:09:23 +0100
commit	11396473f5878af70b0ec9714a03d81a0c05a771 (patch)
tree	9640553cc53766b292f796a5ac33d79b71694c23 /src/core/pixbuf.c
parent	[crypto] Allow for zero-length ASN.1 cursors (diff)
download	ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.tar.gz ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.tar.xz ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.zip