commit 7fc22bbda8c09f644ddcf4e525d7eaf414c7c5ac
author Vijay Kumar Pendoti <vpendo@codeaurora.org> Tue May 16 09:32:14 2017 +0800
committer Jeron Susan <jeron.susan@hi-p.com> Tue May 16 09:32:27 2017 +0800
tree 6ba286c4c104a852775397986d52965a150542d0
parent a72bcc30903e036046bbd325041ebcf919dcef51

app: aboot: Add integer overflow checks

Added integer overflow checks in reading the boot image
from flash device.

Change-Id: I7c5af9fe7bc176be786aabd038e828eb211424d2

FPIIM-819

Change-Id: Ie1832cbaea8ce2a5b6ca098c115f188fb2a5ba66

app/aboot/aboot.c

diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 0f0db40..e975f5b 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -1322,12 +1322,24 @@
 				kernel_actual + ramdisk_actual);
 		bs_set_timestamp(BS_KERNEL_LOAD_START);
 
+		if (UINT_MAX - offset < kernel_actual)
+		{
+			dprintf(CRITICAL, "ERROR: Integer overflow in boot image header %s\t%d\n",__func__,__LINE__);
+			return -1;
+		}
+
 		if (flash_read(ptn, offset, (void *)hdr->kernel_addr, kernel_actual)) {
 			dprintf(CRITICAL, "ERROR: Cannot read kernel image\n");
 			return -1;
 		}
 		offset += kernel_actual;
 
+		if (UINT_MAX - offset < ramdisk_actual)
+		{
+			dprintf(CRITICAL, "ERROR: Integer overflow in boot image header %s\t%d\n",__func__,__LINE__);
+			return -1;
+		}
+
 		if (flash_read(ptn, offset, (void *)hdr->ramdisk_addr, ramdisk_actual)) {
 			dprintf(CRITICAL, "ERROR: Cannot read ramdisk image\n");
 			return -1;
@@ -1339,6 +1351,11 @@
 		bs_set_timestamp(BS_KERNEL_LOAD_DONE);
 
 		if(hdr->second_size != 0) {
+			if (UINT_MAX - offset < second_actual)
+			{
+				dprintf(CRITICAL, "ERROR: Integer overflow in boot image header %s\t%d\n",__func__,__LINE__);
+				return -1;
+			}
 			offset += second_actual;
 			/* Second image loading not implemented. */
 			ASSERT(0);