The script_bin_head structure declares signed values for section
count and version information. Testing them to be below certain
thresholds (SCRIPT_BIN_*_LIMIT) is therefore insufficient, we
should also safeguard against negative values like "fexc-bin:
script.bin: version: -404840454.-1074397186.-1073906177".
Also reordered lines so that the safeguards run (and exit, if
needed) before the normal output of header information.
Signed-off-by: Bernhard Nortmann <bernhard.nortm...@web.de>
---
script_bin.c | 38 +++++++++++++++++---------------------
1 file changed, 17 insertions(+), 21 deletions(-)
diff --git a/script_bin.c b/script_bin.c
index ce13a2a..e6cc168 100644
--- a/script_bin.c
+++ b/script_bin.c
@@ -309,38 +309,34 @@ failure:
#define SCRIPT_BIN_SECTION_LIMIT 0x100
int script_decompile_bin(void *bin, size_t bin_size,
- const char *filename,
- struct script *script)
+ const char *filename, struct script *script)
{
int i;
- struct script_bin_head *head = bin;
+ struct script_bin_head *h = bin;
- pr_info("%s: version: %d.%d.%d\n", filename,
- head->version[0], head->version[1],
- head->version[2]);
- pr_info("%s: size: %zu (%d sections)\n", filename,
- bin_size, head->sections);
-
- if (head->sections > SCRIPT_BIN_SECTION_LIMIT) {
- pr_err("Malformed data: too many sections (%d).\n",
- head->sections);
+ if (h->version[0] < 0 || h->version[0] > SCRIPT_BIN_VERSION_LIMIT ||
+ h->version[1] < 0 || h->version[1] > SCRIPT_BIN_VERSION_LIMIT ||
+ h->version[2] < 0 || h->version[2] > SCRIPT_BIN_VERSION_LIMIT) {
+ pr_err("Malformed data: version %d.%d.%d.\n",
+ h->version[0], h->version[1], h->version[2]);
return 0;
}
- if ((head->version[0] > SCRIPT_BIN_VERSION_LIMIT) ||
- (head->version[1] > SCRIPT_BIN_VERSION_LIMIT) ||
- (head->version[2] > SCRIPT_BIN_VERSION_LIMIT)) {
- pr_err("Malformed data: version %d.%d.%d.\n",
- head->version[0], head->version[1], head->version[2]);
+ if (h->sections < 0 || h->sections > SCRIPT_BIN_SECTION_LIMIT) {
+ pr_err("Malformed data: too many sections (%d).\n",
h->sections);
return 0;
}
+ pr_info("%s: version: %d.%d.%d\n", filename,
+ h->version[0], h->version[1], h->version[2]);
+ pr_info("%s: size: %zu (%d sections)\n", filename,
+ bin_size, h->sections);
+
/* TODO: SANITY: compare head.sections with bin_size */
- for (i=0; i < head->sections; i++) {
- struct script_bin_section *section = &head->section[i];
+ for (i=0; i < h->sections; i++) {
+ struct script_bin_section *section = &h->section[i];
- if (!decompile_section(bin, bin_size, filename,
- section, script))
+ if (!decompile_section(bin, bin_size, filename, section,
script))
return 0;
}
return 1;
--
2.4.10
--
You received this message because you are subscribed to the Google Groups
"linux-sunxi" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to linux-sunxi+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
