- BufferLen = Width * Height * sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);\r
- BltBuffer = (EFI_GRAPHICS_OUTPUT_BLT_PIXEL *) AllocateZeroPool (BufferLen);\r
+ //\r
+ // Make sure the final width and height doesn't overflow UINT16.\r
+ //\r
+ if ((BltX > (UINTN)MAX_UINT16 - Image->Width) || (BltY > (UINTN)MAX_UINT16 - Image->Height)) {\r
+ return EFI_INVALID_PARAMETER;\r
+ }\r
+\r
+ Width = Image->Width + (UINT16)BltX;\r
+ Height = Image->Height + (UINT16)BltY;\r
+\r
+ //\r
+ // Make sure the output image size doesn't overflow UINTN.\r
+ //\r
+ BufferLen = Width * Height;\r
+ if (BufferLen > MAX_UINTN / sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL)) {\r
+ return EFI_OUT_OF_RESOURCES;\r
+ }\r
+ BufferLen *= sizeof (EFI_GRAPHICS_OUTPUT_BLT_PIXEL);\r
+ BltBuffer = AllocateZeroPool (BufferLen);\r