app: aboot: Add integer overflow checks
Added integer overflow checks in reading the boot image
from flash device.
Change-Id: I7c5af9fe7bc176be786aabd038e828eb211424d2
FPIIM-819
Change-Id: Ie1832cbaea8ce2a5b6ca098c115f188fb2a5ba66
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 0f0db40..e975f5b 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -1322,12 +1322,24 @@
kernel_actual + ramdisk_actual);
bs_set_timestamp(BS_KERNEL_LOAD_START);
+ if (UINT_MAX - offset < kernel_actual)
+ {
+ dprintf(CRITICAL, "ERROR: Integer overflow in boot image header %s\t%d\n",__func__,__LINE__);
+ return -1;
+ }
+
if (flash_read(ptn, offset, (void *)hdr->kernel_addr, kernel_actual)) {
dprintf(CRITICAL, "ERROR: Cannot read kernel image\n");
return -1;
}
offset += kernel_actual;
+ if (UINT_MAX - offset < ramdisk_actual)
+ {
+ dprintf(CRITICAL, "ERROR: Integer overflow in boot image header %s\t%d\n",__func__,__LINE__);
+ return -1;
+ }
+
if (flash_read(ptn, offset, (void *)hdr->ramdisk_addr, ramdisk_actual)) {
dprintf(CRITICAL, "ERROR: Cannot read ramdisk image\n");
return -1;
@@ -1339,6 +1351,11 @@
bs_set_timestamp(BS_KERNEL_LOAD_DONE);
if(hdr->second_size != 0) {
+ if (UINT_MAX - offset < second_actual)
+ {
+ dprintf(CRITICAL, "ERROR: Integer overflow in boot image header %s\t%d\n",__func__,__LINE__);
+ return -1;
+ }
offset += second_actual;
/* Second image loading not implemented. */
ASSERT(0);