[PATCH] scripts/imx: fix out-of-bounds access for big DCD tables
Uwe Kleine-König
u.kleine-koenig at pengutronix.de
Fri Aug 4 08:59:56 PDT 2017
add_header_v2 might need a buffer that is bigger than HEADER_LEN
(0x1000) as MAX_DCD * sizeof(u32) (i.e. the maximal size of the dcd
table alone) is already 0x1000. Additionally add_header_v2 adds padding
(usually 0x400) and a struct imx_flash_header_v2 (48). So expand the
buffer size accordingly for v2.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig at pengutronix.de>
---
scripts/imx/imx-image.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/scripts/imx/imx-image.c b/scripts/imx/imx-image.c
index dd5799cccc4b..b241e8c4b68e 100644
--- a/scripts/imx/imx-image.c
+++ b/scripts/imx/imx-image.c
@@ -762,10 +762,6 @@ int main(int argc, char *argv[])
create_usb_image = 0;
}
- buf = calloc(1, HEADER_LEN);
- if (!buf)
- exit(1);
-
if (data.image_dcd_offset == 0xffffffff) {
if (create_usb_image)
data.image_dcd_offset = 0x0;
@@ -790,6 +786,10 @@ int main(int argc, char *argv[])
switch (data.header_version) {
case 1:
+ buf = calloc(1, HEADER_LEN);
+ if (!buf)
+ exit(1);
+
add_header_v1(&data, buf);
if (data.srkfile) {
ret = add_srk(buf, data.image_dcd_offset, data.image_load_addr,
@@ -799,6 +799,10 @@ int main(int argc, char *argv[])
}
break;
case 2:
+ buf = calloc(1, data.image_dcd_offset + sizeof(struct imx_flash_header_v2) + MAX_DCD * sizeof(u32));
+ if (!buf)
+ exit(1);
+
add_header_v2(&data, buf);
break;
default:
--
2.11.0
More information about the barebox
mailing list