platform: msm_shared: Fix potential buffer overflow The signature length is calcualted from the signature buffer, the length calculated is then passed to d2i apis for signature decoding. The length could be any arbitrary value and can cause buffer overread in the d2i apis. To make sure there are no buffer overflows check the return value of read_der_message_length api does not exceed size of signature buffer. Also make sure the there are no buffer overreads in cmd_boot, if the boot buffer size - total image size excluding the signature is less than page_size then assert with the failure. Change-Id: I19b32b28ec61510064259a6271b4e5a918a12951

commit: bf6ce7d2fd248ec5bab0707bdfb0467ac0e1606f [log] [tgz]
author: Channagoud Kadabi <ckadabi@codeaurora.org> Thu Sep 17 13:25:35 2015 -0700
committer: Channagoud Kadabi <ckadabi@codeaurora.org> Mon Oct 19 10:49:02 2015 -0700
tree: 4a4d7570a2621e2ce3f9ce962ed1dfa8ea202546
parent: ad26c7677639c197aae097fb17aa4b3e76e7b8d4 [diff] [blame]
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 44b0858..e43f120 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c

@@ -2151,6 +2151,14 @@
 	// Initialize boot state before trying to verify boot.img
 #if VERIFIED_BOOT
 		boot_verifier_init();
+	/* Handle overflow if the input image size is greater than
+	 * boot image buffer can hold
+	 */
+	if ((target_get_max_flash_size() - (image_actual - sig_actual)) < page_size)
+	{
+		fastboot_fail("booimage: size is greater than boot image buffer can hold");
+		return;
+	}
 #endif
 
 	/* Verify the boot image
commit	bf6ce7d2fd248ec5bab0707bdfb0467ac0e1606f	[log] [tgz]
author	Channagoud Kadabi <ckadabi@codeaurora.org>	Thu Sep 17 13:25:35 2015 -0700
committer	Channagoud Kadabi <ckadabi@codeaurora.org>	Mon Oct 19 10:49:02 2015 -0700
tree	4a4d7570a2621e2ce3f9ce962ed1dfa8ea202546
parent	ad26c7677639c197aae097fb17aa4b3e76e7b8d4 [diff] [blame]