Add a check that the offset is within the allowed range. Signed-off-by: Simon Glass <s...@chromium.org> Reported-by: Coverity (CID: 331155) ---
fs/cbfs/cbfs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/cbfs/cbfs.c b/fs/cbfs/cbfs.c index 415ea28b871..3e905c74e58 100644 --- a/fs/cbfs/cbfs.c +++ b/fs/cbfs/cbfs.c @@ -167,6 +167,8 @@ static int file_cbfs_next_file(struct cbfs_priv *priv, void *start, int size, } swap_file_header(&header, file_header); + if (header.offset >= size) + return log_msg_ret("range", -E2BIG); ret = fill_node(node, start, &header); if (ret) { priv->result = CBFS_BAD_FILE; -- 2.31.1.607.g51e8a6a459-goog