diff options
author | Nicolas Dechesne <nicolas.dechesne@linaro.org> | 2015-06-15 12:21:54 +0200 |
---|---|---|
committer | Nicolas Dechesne <nicolas.dechesne@linaro.org> | 2015-06-15 12:21:54 +0200 |
commit | 2740fc8aeb78bb2e012f63f6d500f3133139c504 (patch) | |
tree | 8ca60d43df8122ece7421b4602ca71e17cebc214 | |
parent | 24cb33b3db445534d2049dcc9b1753c0afa781fb (diff) |
app: aboot: fix incorrect check for integer overflowubuntu-qcom-dragonboard410c-LA.BR.1.2.4-00310-8x16.0-linaro1debian-qcom-dragonboard410c-LA.BR.1.2.4-00310-8x16.0-linaro1
When we encounter a large DONTCARE chunk, the integer overflow check that was
implemented in commit 14cff317 will report a false failure.
For example, the following chunk header was observed:
[58840] === Chunk Header ===
[58840] chunk_type: 0xcac3
[58850] chunk_data_sz: 0x198ffe
[58850] total_size: 0xc
which is valid, but reported as:
"Bogus size sparse and chunk header"
The check for the 32-bit overflow when computing the actual chunk size should be
done only for RAW chunk, instead.
Signed-off-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
-rw-r--r-- | app/aboot/aboot.c | 32 |
1 files changed, 16 insertions, 16 deletions
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c index 0f3b6b60..2927aeed 100644 --- a/app/aboot/aboot.c +++ b/app/aboot/aboot.c @@ -2186,25 +2186,25 @@ void cmd_flash_mmc_sparse_img(const char *arg, void *data, unsigned sz) chunk_data_sz = sparse_header->blk_sz * chunk_header->chunk_sz; - /* Make sure multiplication does not overflow uint32 size */ - if (sparse_header->blk_sz && (chunk_header->chunk_sz != chunk_data_sz / sparse_header->blk_sz)) - { - fastboot_fail("Bogus size sparse and chunk header"); - return; - } - - /* Make sure that the chunk size calculated from sparse image does not - * exceed partition size - */ - if ((uint64_t)total_blocks * (uint64_t)sparse_header->blk_sz + chunk_data_sz > size) - { - fastboot_fail("Chunk data size exceeds partition size"); - return; - } - switch (chunk_header->chunk_type) { case CHUNK_TYPE_RAW: + /* Make sure multiplication does not overflow uint32 size */ + if (sparse_header->blk_sz && (chunk_header->chunk_sz != chunk_data_sz / sparse_header->blk_sz)) + { + fastboot_fail("Bogus size sparse and chunk header"); + return; + } + + /* Make sure that the chunk size calculated from sparse image does not + * exceed partition size + */ + if ((uint64_t)total_blocks * (uint64_t)sparse_header->blk_sz + chunk_data_sz > size) + { + fastboot_fail("Chunk data size exceeds partition size"); + return; + } + if(chunk_header->total_sz != (sparse_header->chunk_hdr_sz + chunk_data_sz)) { |