summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--app/aboot/aboot.c12
1 files changed, 10 insertions, 2 deletions
diff --git a/app/aboot/aboot.c b/app/aboot/aboot.c
index b4ccff6..5167964 100644
--- a/app/aboot/aboot.c
+++ b/app/aboot/aboot.c
@@ -4507,7 +4507,11 @@ int splash_screen_flash()
fb_display = fbcon_display();
if (fb_display) {
- if (header->type && (header->blocks != 0)) { // RLE24 compressed data
+ if (header->type && (header->blocks != 0) &&
+ (UINT_MAX >= header->blocks * 512) &&
+ ((header->blocks * 512) <= (fb_display->width *
+ fb_display->height * (fb_display->bpp / 8)))) {
+ /* RLE24 compressed data */
uint8_t *base = (uint8_t *) fb_display->base + LOGO_IMG_OFFSET;
/* if the logo is full-screen size, remove "fbcon_clear()" */
@@ -4604,7 +4608,11 @@ int splash_screen_mmc()
}
if (fb_display) {
- if (header->type && (header->blocks != 0)) { /* 1 RLE24 compressed data */
+ if (header->type && (header->blocks != 0) &&
+ (UINT_MAX >= header->blocks * 512 + LOGO_IMG_HEADER_SIZE) &&
+ ((header->blocks * 512) <= (fb_display->width *
+ fb_display->height * (fb_display->bpp / 8)))) {
+ /* 1 RLE24 compressed data */
base += LOGO_IMG_OFFSET;
realsize = header->blocks * 512;