REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1510
Check for addition overflow in malloc() when computing NodeSize
and return error if overflow is detected.
Cc: Rebecca Cran <rebe...@nuviainc.com>
Cc: Yitzhak Briskman <yitzhak.brisk...@intel.com>
Cc: Jian J Wang <jian.j.w...@intel.com>
Cc: Yonghong Zhu <yonghong....@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kin...@intel.com>
---
StdLib/LibC/StdLib/Malloc.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/StdLib/LibC/StdLib/Malloc.c b/StdLib/LibC/StdLib/Malloc.c
index c131b9e..7bf8827 100644
--- a/StdLib/LibC/StdLib/Malloc.c
+++ b/StdLib/LibC/StdLib/Malloc.c
@@ -94,6 +94,12 @@ malloc(size_t Size)
return NULL;
}
+ if ((Size + sizeof(CPOOL_HEAD)) < Size) {
+ RetVal = NULL;
+ errno = ENOMEM;
+ DEBUG((DEBUG_ERROR, "\nERROR malloc: Size overflow\n"));
+ }
+
NodeSize = (UINTN)(Size + sizeof(CPOOL_HEAD));
DEBUG((DEBUG_POOL, "malloc(%d): NodeSz: %d", Size, NodeSize));
--
2.32.0.windows.1
-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#79538): https://edk2.groups.io/g/devel/message/79538
Mute This Topic: https://groups.io/mt/84983903/21656
Group Owner: devel+ow...@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
