From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 by mx.groups.io with SMTP id smtpd.web12.62061.1629324216846659089
 for <devel@edk2.groups.io>;
 Wed, 18 Aug 2021 15:03:37 -0700
Authentication-Results: mx.groups.io;
 dkim=missing; spf=pass (domain: intel.com, ip: 192.55.52.93, mailfrom: michael.d.kinney@intel.com)
X-IronPort-AV: E=McAfee;i="6200,9189,10080"; a="213316815"
X-IronPort-AV: E=Sophos;i="5.84,332,1620716400"; 
   d="scan'208";a="213316815"
Received: from fmsmga005.fm.intel.com ([10.253.24.32])
  by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Aug 2021 15:03:35 -0700
X-IronPort-AV: E=Sophos;i="5.84,332,1620716400"; 
   d="scan'208";a="681411396"
Received: from mdkinney-mobl2.amr.corp.intel.com ([10.212.191.175])
  by fmsmga005-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 Aug 2021 15:03:35 -0700
From: "Michael D Kinney" <michael.d.kinney@intel.com>
To: devel@edk2.groups.io
Cc: Rebecca Cran <rebecca@nuviainc.com>,
	Yitzhak Briskman <yitzhak.briskman@intel.com>,
	Jian J Wang <jian.j.wang@intel.com>,
	Yonghong Zhu <yonghong.zhu@intel.com>
Subject: [edk2-libc Patch] StdLib/LibC/StdLib: Handle possible math overflow in malloc()
Date: Wed, 18 Aug 2021 15:03:26 -0700
Message-Id: <20210818220326.339-1-michael.d.kinney@intel.com>
X-Mailer: git-send-email 2.32.0.windows.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1510

Check for addition overflow in malloc() when computing NodeSize
and return error if overflow is detected.

Cc: Rebecca Cran <rebecca@nuviainc.com>
Cc: Yitzhak Briskman <yitzhak.briskman@intel.com>
Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
Signed-off-by: Michael D Kinney <michael.d.kinney@intel.com>
---
 StdLib/LibC/StdLib/Malloc.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/StdLib/LibC/StdLib/Malloc.c b/StdLib/LibC/StdLib/Malloc.c
index c131b9e..7bf8827 100644
--- a/StdLib/LibC/StdLib/Malloc.c
+++ b/StdLib/LibC/StdLib/Malloc.c
@@ -94,6 +94,12 @@ malloc(size_t Size)
     return NULL;
   }
 
+  if ((Size + sizeof(CPOOL_HEAD)) < Size) {
+    RetVal  = NULL;
+    errno   = ENOMEM;
+    DEBUG((DEBUG_ERROR, "\nERROR malloc: Size overflow\n"));
+  }
+
   NodeSize = (UINTN)(Size + sizeof(CPOOL_HEAD));
 
   DEBUG((DEBUG_POOL, "malloc(%d): NodeSz: %d", Size, NodeSize));
-- 
2.32.0.windows.1