From f1dd37fbdb2a8c18c896f79aa48010d516b6cd1c Mon Sep 17 00:00:00 2001
From: YAMAMOTO Takashi <yamamoto@midokura.com>
Date: Thu, 6 May 2021 09:54:00 +0900
Subject: [PATCH] quirc_resize: Make this a bit more careful about integer
 overflows

Also, avoid malloc(0), which is not too portable.
---
 lib/quirc.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/quirc.c b/lib/quirc.c
index 6108cfb..3cf75b9 100644
--- a/lib/quirc.c
+++ b/lib/quirc.c
@@ -50,6 +50,7 @@ int quirc_resize(struct quirc *q, int w, int h)
 	uint8_t		*image  = NULL;
 	quirc_pixel_t	*pixels = NULL;
 	size_t num_vars;
+	size_t vars_byte_size;
 	struct quirc_flood_fill_vars *vars = NULL;
 
 	/*
@@ -100,8 +101,19 @@ int quirc_resize(struct quirc *q, int w, int h)
 	 * - the maximum height of rings would be about 1/3 of the image height.
 	 */
 
-	num_vars = h * 2 / 3;
-	vars = malloc(sizeof(*vars) * num_vars);
+	if ((size_t)h * 2 / 2 != h) {
+		goto fail; /* size_t overflow */
+	}
+	num_vars = (size_t)h * 2 / 3;
+	if (num_vars == 0) {
+		num_vars = 1;
+	}
+
+	vars_byte_size = sizeof(*vars) * num_vars;
+	if (vars_byte_size / sizeof(*vars) != num_vars) {
+		goto fail; /* size_t overflow */
+	}
+	vars = malloc(vars_byte_size);
 	if (!vars)
 		goto fail;