security: Check for integer overflow in VbExMalloc()

Make sure we don't roll over when rounding up to align the requested size. BUG=chrome-os-partner:11642 TEST=none No test; if security guys approve code change, it's fixed. Change-Id: I2e915a6e6b37fc315ab7adb435e2fce4eed670ba Signed-off-by: Bill Richardson <wfrichar@chromium.org> Reviewed-on: https://gerrit.chromium.org/gerrit/28729 Reviewed-by: Sumit Gwalani <sumitg@google.com> Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
2026-01-01 21:02:27 +00:00 · 2012-07-30 15:03:30 -07:00
parent 37754f9b70
commit 261beed560
1 changed files with 2 additions and 1 deletions
--- a/common/vboot_stub.c
+++ b/common/vboot_stub.c
@@ -95,8 +95,9 @@ void *VbExMalloc(size_t size)
 	}

 	if (size % 8) {
-		int tmp = (size + 8) & ~0x7ULL;
+		size_t tmp = (size + 8) & ~0x7ULL;
 		DPRINTF("  %d -> %d\n", size, tmp);
+		ASSERT(tmp >= size);
 		size = tmp;
 	}