Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 62a7be714515ded0b76302d88f06840a3a16e495^2..62a7be714515ded0b76302d88f06840a3a16e495 / .
commit62a7be714515ded0b76302d88f06840a3a16e495[log] [tgz]
authorLinux Build Service Account <lnxbuild@localhost>Fri Nov 23 03:10:04 2018 -0800
committerGerrit - the friendly Code Review server <code-review@localhost>Fri Nov 23 03:10:04 2018 -0800
treeda26ad00024c090d5ec3df69139a78418130d5cd
parent91f6505bc84d6dfc5a7f364bd53126c0969fee26 [diff]
parentcd5161b8528f50362aaf76780e927d3f522a9ddc [diff]
Merge "project: msm8909: Update the ramdisk and tags load address"
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index a282275..a16f083 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c

@@ -1635,6 +1635,12 @@
 	}
 #endif
 
+	/* Validate the boot/recovery image size is within the bounds of partition size */
+	if (imagesize_actual > image_size) {
+		dprintf(CRITICAL, "Image size is greater than partition size.\n");
+		return -1;
+	}
+
 #if VERIFIED_BOOT
 	boot_verifier_init();
 #endif
@@ -4571,7 +4577,11 @@
 
 	fb_display = fbcon_display();
 	if (fb_display) {
-		if (header->type && (header->blocks != 0)) { // RLE24 compressed data
+		if (header->type && (header->blocks != 0) &&
+				(UINT_MAX >= header->blocks * 512) &&
+				((header->blocks * 512) <=  (fb_display->width *
+				fb_display->height * (fb_display->bpp / 8)))) {
+					/* RLE24 compressed data */
 			uint8_t *base = (uint8_t *) fb_display->base + LOGO_IMG_OFFSET;
 
 			/* if the logo is full-screen size, remove "fbcon_clear()" */
@@ -4668,7 +4678,11 @@
 	}
 
 	if (fb_display) {
-		if (header->type && (header->blocks != 0)) { /* 1 RLE24 compressed data */
+		if (header->type && (header->blocks != 0) &&
+			(UINT_MAX >= header->blocks * 512 + LOGO_IMG_HEADER_SIZE) &&
+			((header->blocks * 512) <=  (fb_display->width *
+			fb_display->height * (fb_display->bpp / 8)))) {
+			/* 1 RLE24 compressed data */
 			base += LOGO_IMG_OFFSET;
 
 			realsize =  header->blocks * 512;

diff --git a/platform/msm_shared/avb/libavb/avb_slot_verify.c b/platform/msm_shared/avb/libavb/avb_slot_verify.c
index 6d3e64f..c4039d1 100644
--- a/platform/msm_shared/avb/libavb/avb_slot_verify.c
+++ b/platform/msm_shared/avb/libavb/avb_slot_verify.c

@@ -305,14 +305,8 @@
     }
     avb_debugv(part_name, ": Loading entire partition.\n", NULL);
 
-    image_buf = avb_malloc(image_size);
-    if (image_buf == NULL) {
-      ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
-      goto out;
-    }
-
     io_ret = ops->read_from_partition(
-        ops, part_name, 0 /* offset */, image_size, image_buf, &part_num_read);
+        ops, part_name, 0 /* offset */, image_size, &image_buf, &part_num_read);
     if (io_ret == AVB_IO_RESULT_ERROR_OOM) {
       ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM;
       goto out;