Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 893893c2ee777a07d6439a8e8f36c50077a7056e^2..893893c2ee777a07d6439a8e8f36c50077a7056e / .
commit893893c2ee777a07d6439a8e8f36c50077a7056e[log] [tgz]
authorLinux Build Service Account <lnxbuild@quicinc.com>Wed Apr 26 05:13:23 2017 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>Wed Apr 26 05:13:23 2017 -0700
treea6278a80bd2bbde7deaae3dc55b4e62919800153
parent4983150c4cc12db3aee249ffdec633baa8370521 [diff]
parent56c68b0193a2cbc1c1f7a2a5c480f4b2971c7e40 [diff]
Merge "project: msm8909: Enable verified boot for msm8909"
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 01ca589..fea7b1f 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c

@@ -2,7 +2,7 @@
  * Copyright (c) 2009, Google Inc.
  * All rights reserved.
  *
- * Copyright (c) 2009-2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2009-2017, The Linux Foundation. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are met:
@@ -2880,7 +2880,14 @@
 			(img_header_entry[i].start_offset == 0) ||
 			(img_header_entry[i].size == 0))
 			break;
-
+		if ((UINT_MAX - img_header_entry[i].start_offset) < (uintptr_t)data) {
+			fastboot_fail("Integer overflow detected in start_offset of img");
+			break;
+		}
+		else if ((UINT_MAX - (img_header_entry[i].start_offset + (uintptr_t)data)) < img_header_entry[i].size) {
+			fastboot_fail("Integer overflow detected in size of img");
+			break;
+		}
 		if( data_end < ((uintptr_t)data + img_header_entry[i].start_offset
 						+ img_header_entry[i].size) )
 		{