commit 6fe86eef621b9849f51a5e1e5d73258a93440403
Author: Quang Nguyễn <quangnh89@users.noreply.github.com>
Date:   Mon Mar 13 22:34:48 2017 +0700

    provide a validity check to prevent against Integer overflow conditions (#870)
    
    * provide a validity check to prevent against Integer overflow conditions
    
    * fix some style issues.

diff --git a/windows/winkernel_mm.c b/windows/winkernel_mm.c
index c127da3a..ecdc1ca2 100644
--- a/windows/winkernel_mm.c
+++ b/windows/winkernel_mm.c
@@ -3,6 +3,7 @@
 
 #include "winkernel_mm.h"
 #include <ntddk.h>
+#include <Ntintsafe.h>
 
 // A pool tag for memory allocation
 static const ULONG CS_WINKERNEL_POOL_TAG = 'kwsC';
@@ -33,8 +34,16 @@ void * CAPSTONE_API cs_winkernel_malloc(size_t size)
 
 	// FP; a use of NonPagedPool is required for Windows 7 support
 #pragma prefast(suppress : 30030)		// Allocating executable POOL_TYPE memory
-	CS_WINKERNEL_MEMBLOCK *block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag(
-			NonPagedPool, size + sizeof(CS_WINKERNEL_MEMBLOCK), CS_WINKERNEL_POOL_TAG);
+	size_t number_of_bytes = 0;
+	CS_WINKERNEL_MEMBLOCK *block = NULL;
+	// A specially crafted size value can trigger the overflow.
+	// If the sum in a value that overflows or underflows the capacity of the type,
+	// the function returns NULL.
+	if (!NT_SUCCESS(RtlSizeTAdd(size, sizeof(CS_WINKERNEL_MEMBLOCK), &number_of_bytes))) {
+		return NULL;
+	}
+	block = (CS_WINKERNEL_MEMBLOCK *)ExAllocatePoolWithTag(
+			NonPagedPool, number_of_bytes, CS_WINKERNEL_POOL_TAG);
 	if (!block) {
 		return NULL;
 	}