diff options
author | PeiKan Tsai <mark1990301@gmail.com> | 2019-01-31 22:02:08 +0800 |
---|---|---|
committer | Jérôme Forissier <jerome.forissier@linaro.org> | 2019-02-01 09:57:41 +0100 |
commit | 7539e8c32413101d24ddc010cccb0233bbe13c81 (patch) | |
tree | e4034c0fe7a2ec6d0731ac4d5722d2a56542addb /lib | |
parent | b0b3a51cc320d0e3173c5d62f109d658e7f530f2 (diff) |
bget: Check for size overflow
Check size overflow to avoid size <= 0 which may be caused by
calculation "size += sizeof(struct bhead)" and
"size = (size + (SizeQuant - 1)) & (~(SizeQuant - 1))".
Signed-off-by: Peikan Tsai <mark1990301@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libutils/isoc/bget.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/lib/libutils/isoc/bget.c b/lib/libutils/isoc/bget.c index 6de0b091..f70a1145 100644 --- a/lib/libutils/isoc/bget.c +++ b/lib/libutils/isoc/bget.c @@ -597,12 +597,16 @@ void *bget(requested_size, poolset) } #ifdef SizeQuant #if SizeQuant > 1 - size = (size + (SizeQuant - 1)) & (~(SizeQuant - 1)); + if (ADD_OVERFLOW(size, SizeQuant - 1, &size)) + return NULL; + + size = ROUNDDOWN(size, SizeQuant); #endif #endif - size += sizeof(struct bhead); /* Add overhead in allocated buffer - to size required. */ + /* Add overhead in allocated buffer to size required. */ + if (ADD_OVERFLOW(size, sizeof(struct bhead), &size)) + return NULL; #ifdef BECtl /* If a compact function was provided in the call to bectl(), wrap |