Merge "app: aboot: add check on decompression space"

author: Linux Build Service Account <lnxbuild@localhost> 2016-04-07 15:57:34 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2016-04-07 15:57:34 -0700
commit: 337397d16e1c196a7fc69e21be7775841b2a942a (patch)
tree: 0d4c18af75822f502c321ebd3491c23deb24063f
parent: 7a20826f37157f2916a5bca24d21461f878b172d (diff)
parent: 30c0b9556f7ef646effa2a3ab90bde9d1b48294f (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index d4053771..6fef19a2 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -1242,8 +1242,23 @@ int boot_linux_from_mmc(void)
 	 */
 	if (is_gzip_package((unsigned char *)(image_addr + page_size), hdr->kernel_size))
 	{
+		if ((imagesize_actual + page_size) < imagesize_actual)
+		{
+			dprintf(CRITICAL, "Integer overflow in boot.img header fields\n");
+			ASSERT(0);
+		}
 		out_addr = (unsigned char *)(image_addr + imagesize_actual + page_size);
+		if (target_get_max_flash_size() < (imagesize_actual + page_size))
+		{
+			dprintf(CRITICAL, "No space avaiable for decompression\n");
+			ASSERT(0);
+		}
 		out_avai_len = target_get_max_flash_size() - imagesize_actual - page_size;
+		if (check_aboot_addr_range_overlap((uint32_t)out_addr, out_avai_len))
+		{
+			dprintf(CRITICAL, "decompress address overlap with aboot addresse\n");
+			return -1;
+		}
 		dprintf(INFO, "decompressing kernel image: start\n");
 		rc = decompress((unsigned char *)(image_addr + page_size),
 				hdr->kernel_size, out_addr, out_avai_len,
author	Linux Build Service Account <lnxbuild@localhost>	2016-04-07 15:57:34 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2016-04-07 15:57:34 -0700
commit	337397d16e1c196a7fc69e21be7775841b2a942a (patch)
tree	0d4c18af75822f502c321ebd3491c23deb24063f
parent	7a20826f37157f2916a5bca24d21461f878b172d (diff)
parent	30c0b9556f7ef646effa2a3ab90bde9d1b48294f (diff)