:: commit 18848b6f4a71f98b9a423b6ae63a9ce9d57e7774
lib/gterm, lib/image: Check for overflow in canvas and image size calculations
diff --git a/common/lib/gterm.c b/common/lib/gterm.c
index 8ea298da..1dc7ed54 100644
--- a/common/lib/gterm.c
+++ b/common/lib/gterm.c
@@ -436,7 +436,11 @@ static void generate_canvas(struct fb_info *fb) {
if (bg_canvas != NULL) {
pmm_free(bg_canvas, bg_canvas_size);
}
- bg_canvas_size = fb->framebuffer_width * fb->framebuffer_height * sizeof(uint32_t);
+ bg_canvas_size = CHECKED_MUL(
+ CHECKED_MUL(fb->framebuffer_width, fb->framebuffer_height,
+ panic(false, "gterm: canvas size overflow")),
+ sizeof(uint32_t),
+ panic(false, "gterm: canvas size overflow"));
bg_canvas = ext_mem_alloc(bg_canvas_size);
// Clamp margin to half the framebuffer dimensions to prevent underflow
diff --git a/common/lib/image.c b/common/lib/image.c
index e0836b92..f9f43880 100644
--- a/common/lib/image.c
+++ b/common/lib/image.c
@@ -48,14 +48,16 @@ struct image *image_open(struct file_handle *file) {
// Convert ABGR to XRGB
uint32_t *pptr = (void *)image->img;
- size_t pixel_count = (size_t)x * (size_t)y;
+ size_t pixel_count = CHECKED_MUL((size_t)x, (size_t)y,
+ ({ pmm_free(image, sizeof(struct image)); return NULL; }));
for (size_t i = 0; i < pixel_count; i++) {
pptr[i] = (pptr[i] & 0x0000ff00) | ((pptr[i] & 0x00ff0000) >> 16) | ((pptr[i] & 0x000000ff) << 16);
}
image->x_size = x;
image->y_size = y;
- image->pitch = x * 4;
+ image->pitch = (int)CHECKED_MUL((size_t)x, (size_t)4,
+ ({ pmm_free(image, sizeof(struct image)); return NULL; }));
image->bpp = 32;
image->img_width = x;
image->img_height = y;
