sna/damage: Guard against integer overflow before malloc

Check that the multiplication to compute the allocation will not
overflow.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>

diff --git a/src/sna/sna_damage.c b/src/sna/sna_damage.c
index 5730a25..fb161b5 100644 (file)
--- a/src/sna/sna_damage.c
+++ b/src/sna/sna_damage.c
@@ -206,6 +206,9 @@ static bool _sna_damage_create_boxes(struct sna_damage *damage,
 
        DBG(("    %s(%d->%d): new\n", __FUNCTION__, count, n));
 
+       if (n > (INT_MAX - sizeof(*box)) / sizeof(BoxRec))
+               return false;
+
        box = malloc(sizeof(*box) + sizeof(BoxRec)*n);
        if (box == NULL)
                return false;
@@ -380,7 +383,7 @@ _sna_damage_create_elt_from_points(struct sna_damage *damage,
 
        DBG(("    %s(): new elt\n", __FUNCTION__));
 
-       if (! _sna_damage_create_boxes(damage, count))
+       if (!_sna_damage_create_boxes(damage, count))
                return damage;
 
        for (i = 0; i < count; i++) {