video/fb/video_fb: Fix possible integer overflow

It is minimal possibility that the values being used here will overflow.
So, change the code to use the safemath function grub_mul() to ensure
that doesn't happen.

Fixes: CID 73761
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
index 1c9a138dcdc47adaa0e53f2a7b510b576f863efc..ae6b89f9aea4d6facc0748172934f62fdd0cf9b5 100644 (file)
--- a/grub-core/video/fb/video_fb.c
+++ b/grub-core/video/fb/video_fb.c
@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
                             volatile void *page1_ptr)
 {
   grub_err_t err;
-  grub_size_t page_size = mode_info->pitch * mode_info->height;
+  grub_size_t page_size = 0;
+
+  if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
+    {
+      /* Shouldn't happen, but if it does we've a bug. */
+      return GRUB_ERR_BUG;
+    }
 
   framebuffer.offscreen_buffer = grub_malloc (page_size);
   if (! framebuffer.offscreen_buffer)