From 0db46fb6cc8cb57444c9fa29988ffaa00d56d37c Mon Sep 17 00:00:00 2001
From: David Chalco <david@chalco.io>
Date: Tue, 7 Apr 2020 17:30:54 -0700
Subject: [PATCH] fix potential out of bounds memcpy when multiplication
 overflow in queue creation

---
 queue.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/queue.c b/queue.c
index 14ad01ec9..ec1339c7e 100644
--- a/queue.c
+++ b/queue.c
@@ -377,6 +377,16 @@ Queue_t * const pxQueue = xQueue;
 		can be in the queue at any time.  It is valid for uxItemSize to be
 		zero in the case the queue is used as a semaphore. */
 		xQueueSizeInBytes = ( size_t ) ( uxQueueLength * uxItemSize ); /*lint !e961 MISRA exception as the casts are only redundant for some ports. */
+		
+		/* Guard against multiplication overflow which could otherwise lead to downstream memcpy copying out of bounds. */
+		if( uxItemSize != 0 )
+		{
+			configASSERT( uxQueueLength == ( xQueueSizeInBytes / uxItemSize ) );
+		}
+		else
+		{
+			mtCOVERAGE_TEST_MARKER();
+		}
 
 		/* Allocate the queue and storage area.  Justification for MISRA
 		deviation as follows:  pvPortMalloc() always ensures returned memory