Merge branch 'bugfix/queue_arith_overflow_v3.4' into 'release/v3.4'

freertos: Add queue init overflow check (backport v3.4)

See merge request sdk/ESP8266_RTOS_SDK!1613

Author: donghengqaz

components/freertos/freertos/queue.c

@@ -360,6 +360,7 @@ Queue_t * const pxQueue = ( Queue_t * ) xQueue;
 	Queue_t *pxNewQueue;
 	size_t xQueueSizeInBytes;
 	uint8_t *pucQueueStorage;
+	BaseType_t overflow;
 
 		configASSERT( uxQueueLength > ( UBaseType_t ) 0 );
 
@@ -375,7 +376,29 @@ Queue_t * const pxQueue = ( Queue_t * ) xQueue;
 			xQueueSizeInBytes = ( size_t ) ( uxQueueLength * uxItemSize ); /*lint !e961 MISRA exception as the casts are only redundant for some ports. */
 		}
 
-		pxNewQueue = ( Queue_t * ) pvPortMalloc( sizeof( Queue_t ) + xQueueSizeInBytes );
+		/* Check for multiplication overflow. */
+		overflow = ( uxItemSize != 0 ) && ( uxQueueLength != ( xQueueSizeInBytes / uxItemSize ) );
+
+		/* Check for addition overflow. */
+		overflow = overflow || ( ( sizeof( Queue_t ) + xQueueSizeInBytes ) < xQueueSizeInBytes );
+
+		if ( overflow == (BaseType_t) 0 )
+		{
+			/* Allocate the queue and storage area.	 Justification for MISRA
+			   deviation as follows:  pvPortMalloc() always ensures returned memory
+			   blocks are aligned per the requirements of the MCU stack.  In this case
+			   pvPortMalloc() must return a pointer that is guaranteed to meet the
+			   alignment requirements of the Queue_t structure - which in this case
+			   is an int8_t *.	Therefore, whenever the stack alignment requirements
+			   are greater than or equal to the pointer to char requirements the cast
+			   is safe.	 In other cases alignment requirements are not strict (one or
+			   two bytes). */
+			pxNewQueue = ( Queue_t * ) pvPortMalloc( sizeof( Queue_t ) + xQueueSizeInBytes ); /*lint !e9087 !e9079 see comment above. */
+		}
+		else
+		{
+			pxNewQueue = NULL;
+		}
 
 		if( pxNewQueue != NULL )
 		{

components/freertos/freertos/stream_buffer.c

@@ -242,8 +242,15 @@ static void prvInitialiseNewStreamBuffer( StreamBuffer_t * const pxStreamBuffer,
 		this is a quirk of the implementation that means otherwise the free
 		space would be reported as one byte smaller than would be logically
 		expected. */
-		xBufferSizeBytes++;
-		pucAllocatedMemory = ( uint8_t * ) pvPortMalloc( xBufferSizeBytes + sizeof( StreamBuffer_t ) ); /*lint !e9079 malloc() only returns void*. */
+		if( xBufferSizeBytes < ( xBufferSizeBytes + 1 + sizeof( StreamBuffer_t ) ) )
+		{
+			xBufferSizeBytes++;
+			pucAllocatedMemory = ( uint8_t * ) pvPortMalloc( xBufferSizeBytes + sizeof( StreamBuffer_t ) ); /*lint !e9079 malloc() only returns void*. */
+		}
+		else
+		{
+			pucAllocatedMemory = NULL;
+		}
 
 		if( pucAllocatedMemory != NULL )
 		{