Avoid coredumps if the FMAP is wrong.
If the FMAP points beyond the boundaries of the image, don't believe it.
BUG=chromium:224734
BRANCH=ToT
TEST=make runtests
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Change-Id: Ic35ce71ceac9beb7eb56b50baec938a8e085606c
Reviewed-on: https://chromium-review.googlesource.com/207740
Reviewed-by: Randall Spangler <rspangler@chromium.org>
diff --git a/futility/cmd_dump_fmap.c b/futility/cmd_dump_fmap.c
index fbd9620..bf9e7af 100644
--- a/futility/cmd_dump_fmap.c
+++ b/futility/cmd_dump_fmap.c
@@ -26,6 +26,7 @@
static int opt_overlap = 0;
static char *progname;
static void *base_of_rom;
+static size_t size_of_rom;
static int opt_gaps = 0;
@@ -90,18 +91,22 @@
fprintf(stderr, "%s: can't open %s: %s\n",
progname, buf, strerror(errno));
retval = 1;
+ } else if (!ah->area_size) {
+ fprintf(stderr, "%s: section %s has zero size\n", progname, buf);
+ } else if (ah->area_offset + ah->area_size > size_of_rom) {
+ fprintf(stderr, "%s: section %s is larger than the image\n",
+ progname, buf);
+ retval = 1;
+ } else if (1 != fwrite(base_of_rom + ah->area_offset,
+ ah->area_size, 1, fp)) {
+ fprintf(stderr, "%s: can't write %s: %s\n",
+ progname, buf, strerror(errno));
+ retval = 1;
} else {
- if (ah->area_size &&
- 1 != fwrite(base_of_rom + ah->area_offset, ah->area_size, 1, fp)) {
- fprintf(stderr, "%s: can't write %s: %s\n",
- progname, buf, strerror(errno));
- retval = 1;
- } else {
- if (FMT_NORMAL == opt_format)
- printf("saved as \"%s\"\n", buf);
- }
- fclose(fp);
+ if (FMT_NORMAL == opt_format)
+ printf("saved as \"%s\"\n", buf);
}
+ fclose(fp);
}
}
@@ -444,8 +449,9 @@
return 1;
}
close(fd); /* done with this now */
+ size_of_rom = sb.st_size;
- fmap = FmapFind((char*) base_of_rom, sb.st_size);
+ fmap = FmapFind((char*) base_of_rom, size_of_rom);
if (fmap) {
switch (opt_format) {
case FMT_HUMAN: