lib/gterm, lib/image: Check for overflow in canvas and image size calculations

2026-04-02 20:13:46 +02:00
parent b4f336d098
commit 18848b6f4a
2 changed files with 9 additions and 3 deletions
--- a/common/lib/gterm.c
+++ b/common/lib/gterm.c
@@ -436,7 +436,11 @@ static void generate_canvas(struct fb_info *fb) {
        if (bg_canvas != NULL) {
            pmm_free(bg_canvas, bg_canvas_size);
        }
-        bg_canvas_size = fb->framebuffer_width * fb->framebuffer_height * sizeof(uint32_t);
+        bg_canvas_size = CHECKED_MUL(
+            CHECKED_MUL(fb->framebuffer_width, fb->framebuffer_height,
+                panic(false, "gterm: canvas size overflow")),
+            sizeof(uint32_t),
+            panic(false, "gterm: canvas size overflow"));
        bg_canvas = ext_mem_alloc(bg_canvas_size);

        // Clamp margin to half the framebuffer dimensions to prevent underflow
--- a/common/lib/image.c
+++ b/common/lib/image.c
@@ -48,14 +48,16 @@ struct image *image_open(struct file_handle *file) {

    // Convert ABGR to XRGB
    uint32_t *pptr = (void *)image->img;
-    size_t pixel_count = (size_t)x * (size_t)y;
+    size_t pixel_count = CHECKED_MUL((size_t)x, (size_t)y,
+        ({ pmm_free(image, sizeof(struct image)); return NULL; }));
    for (size_t i = 0; i < pixel_count; i++) {
        pptr[i] = (pptr[i] & 0x0000ff00) | ((pptr[i] & 0x00ff0000) >> 16) | ((pptr[i] & 0x000000ff) << 16);
    }

    image->x_size = x;
    image->y_size = y;
-    image->pitch = x * 4;
+    image->pitch = (int)CHECKED_MUL((size_t)x, (size_t)4,
+        ({ pmm_free(image, sizeof(struct image)); return NULL; }));
    image->bpp = 32;
    image->img_width = x;
    image->img_height = y;