diff options
author | Michael Brown | 2016-03-12 01:09:23 +0100 |
---|---|---|
committer | Michael Brown | 2016-03-12 01:09:23 +0100 |
commit | 11396473f5878af70b0ec9714a03d81a0c05a771 (patch) | |
tree | 9640553cc53766b292f796a5ac33d79b71694c23 /src/core/pixbuf.c | |
parent | [crypto] Allow for zero-length ASN.1 cursors (diff) | |
download | ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.tar.gz ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.tar.xz ipxe-11396473f5878af70b0ec9714a03d81a0c05a771.zip |
[pixbuf] Check for unsigned integer overflow on multiplication
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/core/pixbuf.c')
-rw-r--r-- | src/core/pixbuf.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/core/pixbuf.c b/src/core/pixbuf.c index 41e18f8d..c12bd3c0 100644 --- a/src/core/pixbuf.c +++ b/src/core/pixbuf.c @@ -65,6 +65,10 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) { pixbuf->height = height; pixbuf->len = ( width * height * sizeof ( uint32_t ) ); + /* Check for multiplication overflow */ + if ( ( ( pixbuf->len / sizeof ( uint32_t ) ) / width ) != height ) + goto err_overflow; + /* Allocate pixel data buffer */ pixbuf->data = umalloc ( pixbuf->len ); if ( ! pixbuf->data ) @@ -73,6 +77,7 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) { return pixbuf; err_alloc_data: + err_overflow: pixbuf_put ( pixbuf ); err_alloc_pixbuf: return NULL; |