Fix OOB in rmi4utils firmware image parsing
Test: Verified compilation against ryu-userdebug
Bug: 33917273
Change-Id: I6a56e287c77bcc97b8b5a5485d7285772f682204
diff --git a/rmi4update/firmware_image.cpp b/rmi4update/firmware_image.cpp
index 8acc2d6..babce56 100644
--- a/rmi4update/firmware_image.cpp
+++ b/rmi4update/firmware_image.cpp
@@ -87,6 +87,12 @@
m_io = m_memBlock[RMI_IMG_IO_OFFSET];
m_bootloaderVersion = m_memBlock[RMI_IMG_BOOTLOADER_VERSION_OFFSET];
m_firmwareSize = extract_long(&m_memBlock[RMI_IMG_IMAGE_SIZE_OFFSET]);
+
+ if ((unsigned long)m_imageSize - RMI_IMG_FW_OFFSET - 1 < m_firmwareSize) {
+ fprintf(stderr, "Supplied firmware image size too large, goes out of image file size bound\n");
+ return UPDATE_FAIL_VERIFY_FIRMWARE_SIZE;
+ }
+
m_configSize = extract_long(&m_memBlock[RMI_IMG_CONFIG_SIZE_OFFSET]);
if (m_io == 1) {
m_firmwareBuildID = extract_long(&m_memBlock[RMI_IMG_FW_BUILD_ID_OFFSET]);