瀏覽代碼

[pixbuf] Check for unsigned integer overflow on multiplication

Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Michael Brown 8 年之前
父節點
當前提交
11396473f5
共有 1 個檔案被更改,包括 5 行新增0 行删除
  1. 5
    0
      src/core/pixbuf.c

+ 5
- 0
src/core/pixbuf.c 查看文件

@@ -65,6 +65,10 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
65 65
 	pixbuf->height = height;
66 66
 	pixbuf->len = ( width * height * sizeof ( uint32_t ) );
67 67
 
68
+	/* Check for multiplication overflow */
69
+	if ( ( ( pixbuf->len / sizeof ( uint32_t ) ) / width ) != height )
70
+		goto err_overflow;
71
+
68 72
 	/* Allocate pixel data buffer */
69 73
 	pixbuf->data = umalloc ( pixbuf->len );
70 74
 	if ( ! pixbuf->data )
@@ -73,6 +77,7 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
73 77
 	return pixbuf;
74 78
 
75 79
  err_alloc_data:
80
+ err_overflow:
76 81
 	pixbuf_put ( pixbuf );
77 82
  err_alloc_pixbuf:
78 83
 	return NULL;

Loading…
取消
儲存