From 261beed560e82b0829e6bfc1f082faf1dfdca8b5 Mon Sep 17 00:00:00 2001
From: Bill Richardson <wfrichar@chromium.org>
Date: Mon, 30 Jul 2012 15:03:30 -0700
Subject: security: Check for integer overflow in VbExMalloc()

Make sure we don't roll over when rounding up to align the requested size.

BUG=chrome-os-partner:11642
TEST=none

No test; if security guys approve code change, it's fixed.

Change-Id: I2e915a6e6b37fc315ab7adb435e2fce4eed670ba
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://gerrit.chromium.org/gerrit/28729
Reviewed-by: Sumit Gwalani <sumitg@google.com>
Reviewed-by: Gaurav Shah <gauravsh@chromium.org>
---
 common/vboot_stub.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/common/vboot_stub.c b/common/vboot_stub.c
index b9b6bed691..a04d050c63 100644
--- a/common/vboot_stub.c
+++ b/common/vboot_stub.c
@@ -95,8 +95,9 @@ void *VbExMalloc(size_t size)
 	}
 
 	if (size % 8) {
-		int tmp = (size + 8) & ~0x7ULL;
+		size_t tmp = (size + 8) & ~0x7ULL;
 		DPRINTF("  %d -> %d\n", size, tmp);
+		ASSERT(tmp >= size);
 		size = tmp;
 	}
 
-- 
cgit v1.2.1