Check for integer overflow in prepare_response

Bug: 322483069
Test: gca_smoke
Change-Id: If6468d36c76499b23ecf6cd4c9c893a69259c811
Signed-off-by: Tommy Kardach <thomaskardach@google.com>
(cherry picked from commit 9ad0d2c3fde8c542bf7f9125f084498c2dafa53c)

1 files changed, 8 insertions, 0 deletions

diff --git a/lwis_periodic_io.c b/lwis_periodic_io.c
index 22800c8..36af3e0 100644
--- a/lwis_periodic_io.c
+++ b/lwis_periodic_io.c
@@ -388,9 +388,17 @@ static int prepare_response(struct lwis_client *client, struct lwis_periodic_io
 	for (i = 0; i < info->num_io_entries; ++i) {
 		struct lwis_io_entry *entry = &info->io_entries[i];
 		if (entry->type == LWIS_IO_ENTRY_READ) {
+			/* Check for size_t overflow. */
+			if (read_buf_size + reg_value_bytewidth < read_buf_size) {
+				return -EOVERFLOW;
+			}
 			read_buf_size += reg_value_bytewidth;
 			read_entries++;
 		} else if (entry->type == LWIS_IO_ENTRY_READ_BATCH) {
+			/* Check for size_t overflow when adding user defined size_in_bytes. */
+			if (read_buf_size + entry->rw_batch.size_in_bytes < read_buf_size) {
+				return -EOVERFLOW;
+			}
 			read_buf_size += entry->rw_batch.size_in_bytes;
 			read_entries++;
 		}