Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[pixbuf] Check for unsigned integer overflow on multiplication
Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Mar 12, 2016
1 parent 5a6ed90 commit 1139647
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/core/pixbuf.c
Expand Up @@ -65,6 +65,10 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
pixbuf->height = height;
pixbuf->len = ( width * height * sizeof ( uint32_t ) );

/* Check for multiplication overflow */
if ( ( ( pixbuf->len / sizeof ( uint32_t ) ) / width ) != height )
goto err_overflow;

/* Allocate pixel data buffer */
pixbuf->data = umalloc ( pixbuf->len );
if ( ! pixbuf->data )
Expand All @@ -73,6 +77,7 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
return pixbuf;

err_alloc_data:
err_overflow:
pixbuf_put ( pixbuf );
err_alloc_pixbuf:
return NULL;
Expand Down

0 comments on commit 1139647

Please sign in to comment.