Casting operands to a wider type to prevent integer overflow

Previously the calculation for total_size was done in 32-bits, as the
operands were all 32-bit signed or unsigned integers. This led to
integer overflow when the extent being allocated is too large.
total_size is finally cast to size_t, as the kernel UAPI for ION uses
size_t.

Change-Id: I7a76b2c18be25fda0bf6ef70cd8a6fe717c2903c
Signed-off-by: Fufu Fang <fufu.fang@arm.com>

1 files changed, 8 insertions, 3 deletions

diff --git a/util/wsialloc/wsialloc_ion.c b/util/wsialloc/wsialloc_ion.c
index c9bdeca..70fd66c 100644
--- a/util/wsialloc/wsialloc_ion.c
+++ b/util/wsialloc/wsialloc_ion.c
@@ -103,7 +103,7 @@ static int find_alloc_heap_id(int fd)
    return alloc_heap_id;
 }
 
-static int allocate(int fd, uint64_t size, uint32_t heap_id)
+static int allocate(int fd, size_t size, uint32_t heap_id)
 {
    assert(size > 0);
    assert(fd != -1);
@@ -225,6 +225,7 @@ static wsialloc_error allocate_format(const wsialloc_allocator *allocator, const
    assert(info != NULL);
    assert(offsets != NULL);
    assert(strides != NULL);
+   assert(strides[0] >= 0);
    assert(buffer_fds != NULL);
 
    const uint64_t flags = descriptor->format.flags;
@@ -244,9 +245,13 @@ static wsialloc_error allocate_format(const wsialloc_allocator *allocator, const
       alloc_heap_id = allocator->protected_alloc_heap_id;
    }
 
-   size_t total_size = offsets[0] + (strides[0] * info->height);
+   uint64_t total_size = offsets[0] + (uint64_t)strides[0] * info->height;
+   if (total_size > SIZE_MAX)
+   {
+      return WSIALLOC_ERROR_NO_RESOURCE;
+   }
+   buffer_fds[0] = allocate(allocator->fd, (size_t)total_size, alloc_heap_id);
 
-   buffer_fds[0] = allocate(allocator->fd, total_size, alloc_heap_id);
    if (buffer_fds[0] < 0)
    {
       return WSIALLOC_ERROR_NO_RESOURCE;