[PATCH] scripts/imx: fix out-of-bounds access for big DCD tables

Uwe Kleine-König u.kleine-koenig at pengutronix.de
Fri Aug 4 08:59:56 PDT 2017


add_header_v2 might need a buffer that is bigger than HEADER_LEN
(0x1000) as MAX_DCD * sizeof(u32) (i.e. the maximal size of the dcd
table alone) is already 0x1000. Additionally add_header_v2 adds padding
(usually 0x400) and a struct imx_flash_header_v2 (48). So expand the
buffer size accordingly for v2.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig at pengutronix.de>
---
 scripts/imx/imx-image.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/scripts/imx/imx-image.c b/scripts/imx/imx-image.c
index dd5799cccc4b..b241e8c4b68e 100644
--- a/scripts/imx/imx-image.c
+++ b/scripts/imx/imx-image.c
@@ -762,10 +762,6 @@ int main(int argc, char *argv[])
 		create_usb_image = 0;
 	}
 
-	buf = calloc(1, HEADER_LEN);
-	if (!buf)
-		exit(1);
-
 	if (data.image_dcd_offset == 0xffffffff) {
 		if (create_usb_image)
 			data.image_dcd_offset = 0x0;
@@ -790,6 +786,10 @@ int main(int argc, char *argv[])
 
 	switch (data.header_version) {
 	case 1:
+		buf = calloc(1, HEADER_LEN);
+		if (!buf)
+			exit(1);
+
 		add_header_v1(&data, buf);
 		if (data.srkfile) {
 			ret = add_srk(buf, data.image_dcd_offset, data.image_load_addr,
@@ -799,6 +799,10 @@ int main(int argc, char *argv[])
 		}
 		break;
 	case 2:
+		buf = calloc(1, data.image_dcd_offset + sizeof(struct imx_flash_header_v2) + MAX_DCD * sizeof(u32));
+		if (!buf)
+			exit(1);
+
 		add_header_v2(&data, buf);
 		break;
 	default:
-- 
2.11.0




More information about the barebox mailing list