[pixbuf] Check for unsigned integer overflow on multiplication

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/core/pixbuf.c b/src/core/pixbuf.c
index 41e18f8dc13f8b64afc28ea16214d9f1c4d82d78..c12bd3c068a487a877a85cff382891e0600814e8 100644 (file)
--- a/src/core/pixbuf.c
+++ b/src/core/pixbuf.c
@@ -65,6 +65,10 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
        pixbuf->height = height;
        pixbuf->len = ( width * height * sizeof ( uint32_t ) );
 
+       /* Check for multiplication overflow */
+       if ( ( ( pixbuf->len / sizeof ( uint32_t ) ) / width ) != height )
+               goto err_overflow;
+
        /* Allocate pixel data buffer */
        pixbuf->data = umalloc ( pixbuf->len );
        if ( ! pixbuf->data )
@@ -73,6 +77,7 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
        return pixbuf;
 
  err_alloc_data:
+ err_overflow:
        pixbuf_put ( pixbuf );
  err_alloc_pixbuf:
        return NULL;