diff options
author | Bill Richardson <wfrichar@chromium.org> | 2012-07-30 15:03:30 -0700 |
---|---|---|
committer | Gerrit <chrome-bot@google.com> | 2012-07-31 11:59:25 -0700 |
commit | 261beed560e82b0829e6bfc1f082faf1dfdca8b5 (patch) | |
tree | 368bdc41ca641bd55fe49c18f1bb00c39b91689f | |
parent | 37754f9b70a4300fe9d8e40ce6fb7bc6e57d7ec8 (diff) | |
download | chrome-ec-261beed560e82b0829e6bfc1f082faf1dfdca8b5.tar.gz |
security: Check for integer overflow in VbExMalloc()
Make sure we don't roll over when rounding up to align the requested size.
BUG=chrome-os-partner:11642
TEST=none
No test; if security guys approve code change, it's fixed.
Change-Id: I2e915a6e6b37fc315ab7adb435e2fce4eed670ba
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/28729
Reviewed-by: Sumit Gwalani <sumitg@google.com>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
-rw-r--r-- | common/vboot_stub.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/common/vboot_stub.c b/common/vboot_stub.c index b9b6bed691..a04d050c63 100644 --- a/common/vboot_stub.c +++ b/common/vboot_stub.c @@ -95,8 +95,9 @@ void *VbExMalloc(size_t size) } if (size % 8) { - int tmp = (size + 8) & ~0x7ULL; + size_t tmp = (size + 8) & ~0x7ULL; DPRINTF(" %d -> %d\n", size, tmp); + ASSERT(tmp >= size); size = tmp; } |