1From 08413f2f4edec0e2d9bf15f836f6ee5ca2e379cb Mon Sep 17 00:00:00 2001 2From: Darren Kenny <darren.kenny@oracle.com> 3Date: Fri, 4 Dec 2020 14:51:30 +0000 4Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow 5 6It is minimal possibility that the values being used here will overflow. 7So, change the code to use the safemath function grub_mul() to ensure 8that doesn't happen. 9 10Fixes: CID 73761 11 12Signed-off-by: Darren Kenny <darren.kenny@oracle.com> 13Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 14Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 15--- 16 grub-core/video/fb/video_fb.c | 8 +++++++- 17 1 file changed, 7 insertions(+), 1 deletion(-) 18 19diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c 20index 1c9a138..ae6b89f 100644 21--- a/grub-core/video/fb/video_fb.c 22+++ b/grub-core/video/fb/video_fb.c 23@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info, 24 volatile void *page1_ptr) 25 { 26 grub_err_t err; 27- grub_size_t page_size = mode_info->pitch * mode_info->height; 28+ grub_size_t page_size = 0; 29+ 30+ if (grub_mul (mode_info->pitch, mode_info->height, &page_size)) 31+ { 32+ /* Shouldn't happen, but if it does we've a bug. */ 33+ return GRUB_ERR_BUG; 34+ } 35 36 framebuffer.offscreen_buffer = grub_malloc (page_size); 37 if (! framebuffer.offscreen_buffer) 38-- 392.14.2 40 41