Merge "dev: pmi8994: Update vbat calculation"
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 44b0858..e43f120 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -2151,6 +2151,14 @@
// Initialize boot state before trying to verify boot.img
#if VERIFIED_BOOT
boot_verifier_init();
+ /* Handle overflow if the input image size is greater than
+ * boot image buffer can hold
+ */
+ if ((target_get_max_flash_size() - (image_actual - sig_actual)) < page_size)
+ {
+ fastboot_fail("booimage: size is greater than boot image buffer can hold");
+ return;
+ }
#endif
/* Verify the boot image
diff --git a/platform/msm_shared/boot_verifier.c b/platform/msm_shared/boot_verifier.c
index 7ecbc0b..6a5f5f3 100644
--- a/platform/msm_shared/boot_verifier.c
+++ b/platform/msm_shared/boot_verifier.c
@@ -47,6 +47,7 @@
#define ASN1_ENCODED_SHA256_SIZE 0x33
#define ASN1_ENCODED_SHA256_OFFSET 0x13
+#define ASN1_SIGNATURE_BUFFER_SZ mmc_page_size()
static KEYSTORE *oem_keystore;
static KEYSTORE *user_keystore;
@@ -118,18 +119,38 @@
len_bytes = (input[pos] & ~(0x80));
pos++;
}
+
while(len_bytes)
{
- /* Shift len by 1 octet */
- len = len << 8;
+ /* Shift len by 1 octet, make sure to check unsigned int overflow */
+ if (len <= (UINT_MAX >> 8))
+ len <<= 8;
+ else
+ {
+ dprintf(CRITICAL, "Error: Length exceeding max size of uintmax\n");
+ return 0;
+ }
/* Read next octet */
- len = len | input[pos];
+ if (pos < (int) ASN1_SIGNATURE_BUFFER_SZ)
+ len = len | input[pos];
+ else
+ {
+ dprintf(CRITICAL, "Error: Pos index exceeding the input buffer size\n");
+ return 0;
+ }
+
pos++; len_bytes--;
}
/* Add number of octets representing sequence id and length */
- len += pos;
+ if ((UINT_MAX - pos) > len)
+ len += pos;
+ else
+ {
+ dprintf(CRITICAL, "Error: Len overflows UINT_MAX value\n");
+ return 0;
+ }
return len;
}
@@ -347,19 +368,12 @@
static void read_oem_keystore()
{
KEYSTORE *ks = NULL;
- uint32_t len = 0;
+ uint32_t len = sizeof(OEM_KEYSTORE);
const unsigned char *input = OEM_KEYSTORE;
if(oem_keystore != NULL)
return;
- len = read_der_message_length((unsigned char *)input);
- if(!len)
- {
- dprintf(CRITICAL, "boot_verifier: oem keystore length is invalid.\n");
- return;
- }
-
ks = d2i_KEYSTORE(NULL, (const unsigned char **) &input, len);
if(ks != NULL)
{
@@ -490,7 +504,8 @@
const EVP_MD *fp_type = NULL;
VERIFIED_BOOT_SIG *sig = NULL;
unsigned char* sig_addr = (unsigned char*)(img_addr + img_size);
- uint32_t sig_len = read_der_message_length(sig_addr);
+ uint32_t sig_len = 0;
+ unsigned char *signature = NULL;
if(dev_boot_state == ORANGE)
{
@@ -499,12 +514,25 @@
return false;
}
+ signature = malloc(ASN1_SIGNATURE_BUFFER_SZ);
+ ASSERT(signature);
+
+ /* Copy the signature from scratch memory to buffer */
+ memcpy(signature, sig_addr, ASN1_SIGNATURE_BUFFER_SZ);
+ sig_len = read_der_message_length(signature);
+
if(!sig_len)
{
dprintf(CRITICAL, "boot_verifier: Error while reading signature length.\n");
ASSERT(0);
}
+ if (sig_len > ASN1_SIGNATURE_BUFFER_SZ)
+ {
+ dprintf(CRITICAL, "boot_verifier: Signature length exceeds size signature buffer\n");
+ goto verify_image_error;
+ }
+
if((sig = d2i_VERIFIED_BOOT_SIG(NULL, (const unsigned char **) &sig_addr, sig_len)) == NULL)
{
dprintf(CRITICAL,
@@ -522,6 +550,8 @@
if(sig != NULL)
VERIFIED_BOOT_SIG_free(sig);
+verify_image_error:
+ free(signature);
return ret;
}
diff --git a/platform/msm_shared/mipi_dsi.c b/platform/msm_shared/mipi_dsi.c
index 0474f37..d336f8b 100644
--- a/platform/msm_shared/mipi_dsi.c
+++ b/platform/msm_shared/mipi_dsi.c
@@ -837,7 +837,7 @@
}
writel(0x1115501, pinfo->mipi.ctl_base + INT_CTRL);
- if (pinfo->mipi.broadcast)
+ if (pinfo->mipi.dual_dsi)
writel(0x1115501, pinfo->mipi.sctl_base + INT_CTRL);
return NO_ERROR;