app: aboot: Add check for buffer overflow

Add check to detect header block size buffer overflow.

Change-Id: I2664592adb50adb596b5e48401324aa7ecc35488
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>

1 files changed, 10 insertions, 2 deletions

diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index b4ccff6..5167964 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -4507,7 +4507,11 @@ int splash_screen_flash()
 
 	fb_display = fbcon_display();
 	if (fb_display) {
-		if (header->type && (header->blocks != 0)) { // RLE24 compressed data
+		if (header->type && (header->blocks != 0) &&
+				(UINT_MAX >= header->blocks * 512) &&
+				((header->blocks * 512) <=  (fb_display->width *
+				fb_display->height * (fb_display->bpp / 8)))) {
+					/* RLE24 compressed data */
 			uint8_t *base = (uint8_t *) fb_display->base + LOGO_IMG_OFFSET;
 
 			/* if the logo is full-screen size, remove "fbcon_clear()" */
@@ -4604,7 +4608,11 @@ int splash_screen_mmc()
 	}
 
 	if (fb_display) {
-		if (header->type && (header->blocks != 0)) { /* 1 RLE24 compressed data */
+		if (header->type && (header->blocks != 0) &&
+			(UINT_MAX >= header->blocks * 512 + LOGO_IMG_HEADER_SIZE) &&
+			((header->blocks * 512) <=  (fb_display->width *
+			fb_display->height * (fb_display->bpp / 8)))) {
+			/* 1 RLE24 compressed data */
 			base += LOGO_IMG_OFFSET;
 
 			realsize =  header->blocks * 512;