app: aboot: fix buffer overread in flashing image
Prevent buffer overread in cmd_flash_meta_img function.
Change-Id: Icb24fc56f37138df7e36492d3c8abe67878394c5
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index ae4aa63..8ef8857 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -2649,8 +2649,29 @@
int i, images;
meta_header_t *meta_header;
img_header_entry_t *img_header_entry;
+ /*End of the image address*/
+ uintptr_t data_end;
+
+ if( (UINT_MAX - sz) > (uintptr_t)data )
+ data_end = (uintptr_t)data + sz;
+ else
+ {
+ fastboot_fail("Cannot flash: image header corrupt");
+ return;
+ }
+
+ if( data_end < ((uintptr_t)data + sizeof(meta_header_t)))
+ {
+ fastboot_fail("Cannot flash: image header corrupt");
+ return;
+ }
meta_header = (meta_header_t*) data;
+ if( data_end < ((uintptr_t)data + meta_header->img_hdr_sz))
+ {
+ fastboot_fail("Cannot flash: image header corrupt");
+ return;
+ }
img_header_entry = (img_header_entry_t*) (data+sizeof(meta_header_t));
images = meta_header->img_hdr_sz / sizeof(img_header_entry_t);
@@ -2662,6 +2683,13 @@
(img_header_entry[i].size == 0))
break;
+ if( data_end < ((uintptr_t)data + img_header_entry[i].start_offset
+ + img_header_entry[i].size) )
+ {
+ fastboot_fail("Cannot flash: image size mismatch");
+ break;
+ }
+
cmd_flash_mmc_img(img_header_entry[i].ptn_name,
(void *) data + img_header_entry[i].start_offset,
img_header_entry[i].size);