calloc() should allocate a memory buffer that fits the product of its
arguments or return NULL if this is not possible.
We violated this so far and a wraparound would result in allocating a
too small buffer leading to buffer overflows.
Fix this by using size_mull which saturates at SIZE_MAX, which malloc
should gracefully return NULL for.
Signed-off-by: Ahmad Fatoum <a.fatoum@xxxxxxxxxxxxxx>
---
common/calloc.c | 3 ++-
common/dlmalloc.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/common/calloc.c b/common/calloc.c
index 65e843350d47..12f18474a4c8 100644
--- a/common/calloc.c
+++ b/common/calloc.c
@@ -2,13 +2,14 @@
#include <common.h>
#include <malloc.h>
+#include <linux/overflow.h>
/*
* calloc calls malloc, then zeroes out the allocated chunk.
*/
void *calloc(size_t n, size_t elem_size)
{
- size_t size = elem_size * n;
+ size_t size = size_mul(elem_size, n);
void *r = malloc(size);
if (!r)
diff --git a/common/dlmalloc.c b/common/dlmalloc.c
index c41487d54b4a..3a77a344576c 100644
--- a/common/dlmalloc.c
+++ b/common/dlmalloc.c
@@ -4,6 +4,7 @@
#include <malloc.h>
#include <string.h>
#include <memory.h>
+#include <linux/overflow.h>
#include <linux/build_bug.h>
#include <stdio.h>
@@ -1739,7 +1740,7 @@ void *calloc(size_t n, size_t elem_size)
{
mchunkptr p;
INTERNAL_SIZE_T csz;
- INTERNAL_SIZE_T sz = n * elem_size;
+ INTERNAL_SIZE_T sz = size_mul(n, elem_size);
void *mem;
/* check if expand_top called, in which case don't need to clear */
--
2.39.2
