summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorraghavendra ambadas <rambad@codeaurora.org>2018-10-09 15:50:40 +0530
committerraghavendra ambadas <rambad@codeaurora.org>2018-11-07 10:43:01 +0530
commit2a93d1bcfabaaa5eace208ad6e066343101f3ed2 (patch)
tree7fb5a0bef25f2f261ecba0b746951e7ddcabb5b6
parenteca90feb2c938bf47de66847b67fd9408dc90611 (diff)
app: aboot: Add check for buffer overflow
Add check to detect header block size buffer overflow. Change-Id: I2664592adb50adb596b5e48401324aa7ecc35488 Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
-rw-r--r--app/aboot/aboot.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index b4ccff6..5167964 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -4507,7 +4507,11 @@ int splash_screen_flash()
fb_display = fbcon_display();
if (fb_display) {
- if (header->type && (header->blocks != 0)) { // RLE24 compressed data
+ if (header->type && (header->blocks != 0) &&
+ (UINT_MAX >= header->blocks * 512) &&
+ ((header->blocks * 512) <= (fb_display->width *
+ fb_display->height * (fb_display->bpp / 8)))) {
+ /* RLE24 compressed data */
uint8_t *base = (uint8_t *) fb_display->base + LOGO_IMG_OFFSET;
/* if the logo is full-screen size, remove "fbcon_clear()" */
@@ -4604,7 +4608,11 @@ int splash_screen_mmc()
}
if (fb_display) {
- if (header->type && (header->blocks != 0)) { /* 1 RLE24 compressed data */
+ if (header->type && (header->blocks != 0) &&
+ (UINT_MAX >= header->blocks * 512 + LOGO_IMG_HEADER_SIZE) &&
+ ((header->blocks * 512) <= (fb_display->width *
+ fb_display->height * (fb_display->bpp / 8)))) {
+ /* 1 RLE24 compressed data */
base += LOGO_IMG_OFFSET;
realsize = header->blocks * 512;