The script_bin_head structure declares signed values for section count and version information. Testing them to be below certain thresholds (SCRIPT_BIN_*_LIMIT) is therefore insufficient, we should also safeguard against negative values like "fexc-bin: script.bin: version: -404840454.-1074397186.-1073906177".
Also reordered lines so that the safeguards run (and exit, if needed) before the normal output of header information. Signed-off-by: Bernhard Nortmann <bernhard.nortm...@web.de> --- script_bin.c | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/script_bin.c b/script_bin.c index ce13a2a..e6cc168 100644 --- a/script_bin.c +++ b/script_bin.c @@ -309,38 +309,34 @@ failure: #define SCRIPT_BIN_SECTION_LIMIT 0x100 int script_decompile_bin(void *bin, size_t bin_size, - const char *filename, - struct script *script) + const char *filename, struct script *script) { int i; - struct script_bin_head *head = bin; + struct script_bin_head *h = bin; - pr_info("%s: version: %d.%d.%d\n", filename, - head->version[0], head->version[1], - head->version[2]); - pr_info("%s: size: %zu (%d sections)\n", filename, - bin_size, head->sections); - - if (head->sections > SCRIPT_BIN_SECTION_LIMIT) { - pr_err("Malformed data: too many sections (%d).\n", - head->sections); + if (h->version[0] < 0 || h->version[0] > SCRIPT_BIN_VERSION_LIMIT || + h->version[1] < 0 || h->version[1] > SCRIPT_BIN_VERSION_LIMIT || + h->version[2] < 0 || h->version[2] > SCRIPT_BIN_VERSION_LIMIT) { + pr_err("Malformed data: version %d.%d.%d.\n", + h->version[0], h->version[1], h->version[2]); return 0; } - if ((head->version[0] > SCRIPT_BIN_VERSION_LIMIT) || - (head->version[1] > SCRIPT_BIN_VERSION_LIMIT) || - (head->version[2] > SCRIPT_BIN_VERSION_LIMIT)) { - pr_err("Malformed data: version %d.%d.%d.\n", - head->version[0], head->version[1], head->version[2]); + if (h->sections < 0 || h->sections > SCRIPT_BIN_SECTION_LIMIT) { + pr_err("Malformed data: too many sections (%d).\n", h->sections); return 0; } + pr_info("%s: version: %d.%d.%d\n", filename, + h->version[0], h->version[1], h->version[2]); + pr_info("%s: size: %zu (%d sections)\n", filename, + bin_size, h->sections); + /* TODO: SANITY: compare head.sections with bin_size */ - for (i=0; i < head->sections; i++) { - struct script_bin_section *section = &head->section[i]; + for (i=0; i < h->sections; i++) { + struct script_bin_section *section = &h->section[i]; - if (!decompile_section(bin, bin_size, filename, - section, script)) + if (!decompile_section(bin, bin_size, filename, section, script)) return 0; } return 1; -- 2.4.10 -- You received this message because you are subscribed to the Google Groups "linux-sunxi" group. To unsubscribe from this group and stop receiving emails from it, send an email to linux-sunxi+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.