From 52612185c60605542beb3745a2500ed65a8ffff0 Mon Sep 17 00:00:00 2001
From: Chris Wilson <chris@chris-wilson.co.uk>
Date: Fri, 15 Nov 2013 21:20:30 +0000
Subject: sna/damage: Guard against integer overflow before malloc

Check that the multiplication to compute the allocation will not
overflow.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
---
 src/sna/sna_damage.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/sna/sna_damage.c')

diff --git a/src/sna/sna_damage.c b/src/sna/sna_damage.c
index 5730a25d..fb161b58 100644
--- a/src/sna/sna_damage.c
+++ b/src/sna/sna_damage.c
@@ -206,6 +206,9 @@ static bool _sna_damage_create_boxes(struct sna_damage *damage,
 
 	DBG(("    %s(%d->%d): new\n", __FUNCTION__, count, n));
 
+	if (n > (INT_MAX - sizeof(*box)) / sizeof(BoxRec))
+		return false;
+
 	box = malloc(sizeof(*box) + sizeof(BoxRec)*n);
 	if (box == NULL)
 		return false;
@@ -380,7 +383,7 @@ _sna_damage_create_elt_from_points(struct sna_damage *damage,
 
 	DBG(("    %s(): new elt\n", __FUNCTION__));
 
-	if (! _sna_damage_create_boxes(damage, count))
+	if (!_sna_damage_create_boxes(damage, count))
 		return damage;
 
 	for (i = 0; i < count; i++) {
-- 
cgit v1.2.3