mirror of
https://github.com/topjohnwu/Magisk.git
synced 2024-11-27 12:05:30 +00:00
Fix overflow
`totalsize` might be a big (invalid) number so instead of checking the end address we check the size of the image. Fix #4049
This commit is contained in:
parent
336f1687c1
commit
e3801d6965
@ -205,12 +205,12 @@ static int find_dtb_offset(uint8_t *buf, unsigned sz) {
|
||||
|
||||
// Check that fdt_header.totalsize does not overflow kernel image size
|
||||
uint32_t totalsize = fdt32_to_cpu(fdt_hdr->totalsize);
|
||||
if (curr + totalsize > end)
|
||||
if (totalsize > end - curr)
|
||||
continue;
|
||||
|
||||
// Check that fdt_header.off_dt_struct does not overflow kernel image size
|
||||
uint32_t off_dt_struct = fdt32_to_cpu(fdt_hdr->off_dt_struct);
|
||||
if (curr + off_dt_struct > end)
|
||||
if (off_dt_struct > end - curr)
|
||||
continue;
|
||||
|
||||
// Check that fdt_node_header.tag of first node is FDT_BEGIN_NODE
|
||||
|
Loading…
Reference in New Issue
Block a user