From 8aa8bde721f71e49693434f4f21f8ff255eeb962 Mon Sep 17 00:00:00 2001
From: Cody Schafer <cody@linux.vnet.ibm.com>
Date: Thu, 19 Jul 2012 20:05:25 -0700
Subject: [PATCH] --- yaml --- r: 320459 b: refs/heads/master c:
 8696329b7bcf32e69ad12d5975ad1497936d43ec h: refs/heads/master i:   320457:
 566afeea5fcfb0023217018f28fa9d3c7958a62a   320455:
 ee8dea5c30b0beb305d0bceb72208347b0097a16 v: v3

---
 [refs]                           |  2 +-
 trunk/tools/perf/util/annotate.c | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/[refs] b/[refs]
index 027c9c7f290c..40c0e6c9abe4 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: 52f18a2ff9b012a7efdbd520ca0dc0e118a8a837
+refs/heads/master: 8696329b7bcf32e69ad12d5975ad1497936d43ec
diff --git a/trunk/tools/perf/util/annotate.c b/trunk/tools/perf/util/annotate.c
index 7d3641f6332c..3a282c0057d2 100644
--- a/trunk/tools/perf/util/annotate.c
+++ b/trunk/tools/perf/util/annotate.c
@@ -426,7 +426,18 @@ int symbol__alloc_hist(struct symbol *sym)
 {
 	struct annotation *notes = symbol__annotation(sym);
 	const size_t size = symbol__size(sym);
-	size_t sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+	size_t sizeof_sym_hist;
+
+	/* Check for overflow when calculating sizeof_sym_hist */
+	if (size > (SIZE_MAX - sizeof(struct sym_hist)) / sizeof(u64))
+		return -1;
+
+	sizeof_sym_hist = (sizeof(struct sym_hist) + size * sizeof(u64));
+
+	/* Check for overflow in zalloc argument */
+	if (sizeof_sym_hist > (SIZE_MAX - sizeof(*notes->src))
+				/ symbol_conf.nr_events)
+		return -1;
 
 	notes->src = zalloc(sizeof(*notes->src) + symbol_conf.nr_events * sizeof_sym_hist);
 	if (notes->src == NULL)