app: aboot: Add check for integer overflow in sparse block header size.
Add check to detect sparse header block size integer overflow.
Change-Id: Iaac3936c355796328c2b4cc7021e2d20f94a8426
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 83a2c49..ac1a4a5 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -3043,6 +3043,7 @@
uint64_t chunk_data_sz;
uint32_t *fill_buf = NULL;
uint32_t fill_val;
+ uint32_t blk_sz_actual = 0;
sparse_header_t *sparse_header;
chunk_header_t *chunk_header;
uint32_t total_blocks = 0;
@@ -3187,7 +3188,15 @@
return;
}
- fill_buf = (uint32_t *)memalign(CACHE_LINE, ROUNDUP(sparse_header->blk_sz, CACHE_LINE));
+ blk_sz_actual = ROUNDUP(sparse_header->blk_sz, CACHE_LINE);
+ /* Integer overflow detected */
+ if (blk_sz_actual < sparse_header->blk_sz)
+ {
+ fastboot_fail("Invalid block size");
+ return;
+ }
+
+ fill_buf = (uint32_t *)memalign(CACHE_LINE, blk_sz_actual);
if (!fill_buf)
{
fastboot_fail("Malloc failed for: CHUNK_TYPE_FILL");