From e3801d6965f351391d476222f7e1ad0d5864dd26 Mon Sep 17 00:00:00 2001 From: Shaka Huang Date: Wed, 24 Mar 2021 18:02:46 +0800 Subject: [PATCH] Fix overflow `totalsize` might be a big (invalid) number so instead of checking the end address we check the size of the image. Fix #4049 --- native/jni/magiskboot/bootimg.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/native/jni/magiskboot/bootimg.cpp b/native/jni/magiskboot/bootimg.cpp index abee0318d..b41c9ca7c 100644 --- a/native/jni/magiskboot/bootimg.cpp +++ b/native/jni/magiskboot/bootimg.cpp @@ -205,12 +205,12 @@ static int find_dtb_offset(uint8_t *buf, unsigned sz) { // Check that fdt_header.totalsize does not overflow kernel image size uint32_t totalsize = fdt32_to_cpu(fdt_hdr->totalsize); - if (curr + totalsize > end) + if (totalsize > end - curr) continue; // Check that fdt_header.off_dt_struct does not overflow kernel image size uint32_t off_dt_struct = fdt32_to_cpu(fdt_hdr->off_dt_struct); - if (curr + off_dt_struct > end) + if (off_dt_struct > end - curr) continue; // Check that fdt_node_header.tag of first node is FDT_BEGIN_NODE