diff options
author | Nicolas Dechesne <nicolas.dechesne@linaro.org> | 2015-06-15 12:21:54 +0200 |
---|---|---|
committer | Nicolas Dechesne <nicolas.dechesne@linaro.org> | 2016-12-08 17:17:01 +0100 |
commit | aef7b3ec75908e3d3a11c00643f1b654751c11cf (patch) | |
tree | 22f693600c266fa5b0e6af98999d5242e1e4003a | |
parent | 55bf8ef54ca6a188b8fbb1c341c55fca7a65ea67 (diff) |
app: aboot: fix incorrect check for integer overflow
When we encounter a large DONTCARE chunk, the integer overflow check that was
implemented in commit 14cff317 will report a false failure.
For example, the following chunk header was observed:
[58840] === Chunk Header ===
[58840] chunk_type: 0xcac3
[58850] chunk_data_sz: 0x198ffe
[58850] total_size: 0xc
which is valid, but reported as:
"Bogus size sparse and chunk header"
The check for the 32-bit overflow when computing the actual chunk size should be
done only for RAW chunk, instead.
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
(cherry picked from commit 2740fc8aeb78bb2e012f63f6d500f3133139c504)
-rw-r--r-- | app/aboot/aboot.c | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c index ed53d87a..24a8dbe8 100644 --- a/app/aboot/aboot.c +++ b/app/aboot/aboot.c @@ -2719,25 +2719,25 @@ void cmd_flash_mmc_sparse_img(const char *arg, void *data, unsigned sz) chunk_data_sz = sparse_header->blk_sz * chunk_header->chunk_sz; - /* Make sure multiplication does not overflow uint32 size */ - if (sparse_header->blk_sz && (chunk_header->chunk_sz != chunk_data_sz / sparse_header->blk_sz)) - { - fastboot_fail("Bogus size sparse and chunk header"); - return; - } - - /* Make sure that the chunk size calculated from sparse image does not - * exceed partition size - */ - if ((uint64_t)total_blocks * (uint64_t)sparse_header->blk_sz + chunk_data_sz > size) - { - fastboot_fail("Chunk data size exceeds partition size"); - return; - } - switch (chunk_header->chunk_type) { case CHUNK_TYPE_RAW: + /* Make sure multiplication does not overflow uint32 size */ + if (sparse_header->blk_sz && (chunk_header->chunk_sz != chunk_data_sz / sparse_header->blk_sz)) + { + fastboot_fail("Bogus size sparse and chunk header"); + return; + } + + /* Make sure that the chunk size calculated from sparse image does not + * exceed partition size + */ + if ((uint64_t)total_blocks * (uint64_t)sparse_header->blk_sz + chunk_data_sz > size) + { + fastboot_fail("Chunk data size exceeds partition size"); + return; + } + if(chunk_header->total_sz != (sparse_header->chunk_hdr_sz + chunk_data_sz)) { |