From 11396473f5878af70b0ec9714a03d81a0c05a771 Mon Sep 17 00:00:00 2001
From: Michael Brown <mcb30@ipxe.org>
Date: Sat, 12 Mar 2016 00:09:23 +0000
Subject: [PATCH] [pixbuf] Check for unsigned integer overflow on
 multiplication

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/core/pixbuf.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/core/pixbuf.c b/src/core/pixbuf.c
index 41e18f8dc..c12bd3c06 100644
--- a/src/core/pixbuf.c
+++ b/src/core/pixbuf.c
@@ -65,6 +65,10 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
 	pixbuf->height = height;
 	pixbuf->len = ( width * height * sizeof ( uint32_t ) );
 
+	/* Check for multiplication overflow */
+	if ( ( ( pixbuf->len / sizeof ( uint32_t ) ) / width ) != height )
+		goto err_overflow;
+
 	/* Allocate pixel data buffer */
 	pixbuf->data = umalloc ( pixbuf->len );
 	if ( ! pixbuf->data )
@@ -73,6 +77,7 @@ struct pixel_buffer * alloc_pixbuf ( unsigned int width, unsigned int height ) {
 	return pixbuf;
 
  err_alloc_data:
+ err_overflow:
 	pixbuf_put ( pixbuf );
  err_alloc_pixbuf:
 	return NULL;