MarcoBuster/Magisk
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix overflow

Browse Source 
`totalsize` might be a big (invalid) number so instead of checking the end address we check the size of the image.

Fix #4049
This commit is contained in:
Shaka Huang 2021-03-24 18:02:46 +08:00 committed by GitHub
parent 336f1687c1
commit e3801d6965
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
native/jni/magiskboot/bootimg.cpp
View File

@ -205,12 +205,12 @@ static int find_dtb_offset(uint8_t *buf, unsigned sz) {
// Check that fdt_header.totalsize does not overflow kernel image size // Check that fdt_header.totalsize does not overflow kernel image size
uint32_t totalsize = fdt32_to_cpu(fdt_hdr->totalsize); uint32_t totalsize = fdt32_to_cpu(fdt_hdr->totalsize);
if (curr + totalsize > end) if (totalsize > end - curr)
continue; continue;
// Check that fdt_header.off_dt_struct does not overflow kernel image size // Check that fdt_header.off_dt_struct does not overflow kernel image size
uint32_t off_dt_struct = fdt32_to_cpu(fdt_hdr->off_dt_struct); uint32_t off_dt_struct = fdt32_to_cpu(fdt_hdr->off_dt_struct);
if (curr + off_dt_struct > end) if (off_dt_struct > end - curr)
continue; continue;
// Check that fdt_node_header.tag of first node is FDT_BEGIN_NODE // Check that fdt_node_header.tag of first node is FDT_BEGIN_NODE