app: aboot: fix incorrect check for integer overflow
When we encounter a large DONTCARE chunk, the integer overflow check that was
implemented in commit 14cff317 will report a false failure.
For example, the following chunk header was observed:
[58840] === Chunk Header ===
[58840] chunk_type: 0xcac3
[58850] chunk_data_sz: 0x198ffe
[58850] total_size: 0xc
which is valid, but reported as:
"Bogus size sparse and chunk header"
The check for the 32-bit overflow when computing the actual chunk size should be
done only for RAW chunk, instead.
Issue: FP2A10-106
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Change-Id: I89930a66448b4d3baaba3bc28227572362679caf
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index 9c0ba40..6681cbd 100755
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -1992,25 +1992,25 @@
chunk_data_sz = sparse_header->blk_sz * chunk_header->chunk_sz;
- /* Make sure multiplication does not overflow uint32 size */
- if (sparse_header->blk_sz && (chunk_header->chunk_sz != chunk_data_sz / sparse_header->blk_sz))
- {
- fastboot_fail("Bogus size sparse and chunk header");
- return;
- }
-
- /* Make sure that the chunk size calculated from sparse image does not
- * exceed partition size
- */
- if ((uint64_t)total_blocks * (uint64_t)sparse_header->blk_sz + chunk_data_sz > size)
- {
- fastboot_fail("Chunk data size exceeds partition size");
- return;
- }
-
switch (chunk_header->chunk_type)
{
case CHUNK_TYPE_RAW:
+ /* Make sure multiplication does not overflow uint32 size */
+ if (sparse_header->blk_sz && (chunk_header->chunk_sz != chunk_data_sz / sparse_header->blk_sz))
+ {
+ fastboot_fail("Bogus size sparse and chunk header");
+ return;
+ }
+
+ /* Make sure that the chunk size calculated from sparse image does not
+ * exceed partition size
+ */
+ if ((uint64_t)total_blocks * (uint64_t)sparse_header->blk_sz + chunk_data_sz > size)
+ {
+ fastboot_fail("Chunk data size exceeds partition size");
+ return;
+ }
+
if(chunk_header->total_sz != (sparse_header->chunk_hdr_sz +
chunk_data_sz))
{