Merge "target: update the DSI PHY lane configuration settings"
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 8b54199..5ff06ca 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -1745,7 +1745,7 @@
/* Read and skip over sparse image header */
sparse_header = (sparse_header_t *) data;
- if ((sparse_header->total_blks * sparse_header->blk_sz) > size) {
+ if (((uint64_t)sparse_header->total_blks * (uint64_t)sparse_header->blk_sz) > size) {
fastboot_fail("size too large");
return;
}
@@ -1772,6 +1772,11 @@
/* Start processing chunks */
for (chunk=0; chunk<sparse_header->total_chunks; chunk++)
{
+ /* Make sure the total image size does not exceed the partition size */
+ if(((uint64_t)total_blocks * (uint64_t)sparse_header->blk_sz) >= size) {
+ fastboot_fail("size too large");
+ return;
+ }
/* Read and skip over chunk header */
chunk_header = (chunk_header_t *) data;
data += sizeof(chunk_header_t);
@@ -1790,6 +1795,23 @@
}
chunk_data_sz = sparse_header->blk_sz * chunk_header->chunk_sz;
+
+ /* Make sure multiplication does not overflow uint32 size */
+ if (sparse_header->blk_sz && (chunk_header->chunk_sz != chunk_data_sz / sparse_header->blk_sz))
+ {
+ fastboot_fail("Bogus size sparse and chunk header");
+ return;
+ }
+
+ /* Make sure that the chunk size calculated from sparse image does not
+ * exceed partition size
+ */
+ if ((uint64_t)total_blocks * (uint64_t)sparse_header->blk_sz + chunk_data_sz > size)
+ {
+ fastboot_fail("Chunk data size exceeds partition size");
+ return;
+ }
+
switch (chunk_header->chunk_type)
{
case CHUNK_TYPE_RAW:
@@ -1807,11 +1829,19 @@
fastboot_fail("flash write failure");
return;
}
+ if(total_blocks > (UINT_MAX - chunk_header->chunk_sz)) {
+ fastboot_fail("Bogus size for RAW chunk type");
+ return;
+ }
total_blocks += chunk_header->chunk_sz;
data += chunk_data_sz;
break;
case CHUNK_TYPE_DONT_CARE:
+ if(total_blocks > (UINT_MAX - chunk_header->chunk_sz)) {
+ fastboot_fail("bogus size for chunk DONT CARE type");
+ return;
+ }
total_blocks += chunk_header->chunk_sz;
break;
@@ -1821,6 +1851,10 @@
fastboot_fail("Bogus chunk size for chunk type Dont Care");
return;
}
+ if(total_blocks > (UINT_MAX - chunk_header->chunk_sz)) {
+ fastboot_fail("bogus size for chunk CRC type");
+ return;
+ }
total_blocks += chunk_header->chunk_sz;
data += chunk_data_sz;
break;
diff --git a/platform/msm_shared/partition_parser.c b/platform/msm_shared/partition_parser.c
index a702b45..387e9fc 100644
--- a/platform/msm_shared/partition_parser.c
+++ b/platform/msm_shared/partition_parser.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2013, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2013, 2015 The Linux Foundation. All rights reserved.
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
@@ -856,10 +856,8 @@
return INVALID_PTN;
}
for (n = 0; n < partition_count; n++) {
- if (!memcmp
- (name, &partition_entries[n].name, input_string_length)
- && input_string_length ==
- strlen((const char *)&partition_entries[n].name)) {
+ if ((input_string_length == strlen((const char *)&partition_entries[n].name))
+ && !memcmp(name, &partition_entries[n].name, input_string_length)) {
return n;
}
}