Fix fastboot memory corruption.

Bug: http://b/68664649 Test: echo 'ANDROID!' > fake.img ; fastboot -c `python -c "print 'A'*4000"` boot fake.img Change-Id: I3299e0fba24a6c1f6178c994731a94cea68f7254
author: Elliott Hughes <enh@google.com> 2018-01-18 16:08:24 -0800
committer: Elliott Hughes <enh@google.com> 2018-01-18 16:50:14 -0800
commit: aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d (patch)
tree: 596501c8946ddc1f245a57089569148b8d1f34ce /fastboot/fastboot.cpp
parent: a1e27d342e05fc504ce7140463d17336c53a1af8 (diff)
download: core-aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d.tar.gz
core-aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d.tar.bz2
core-aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/fastboot/fastboot.cpp b/fastboot/fastboot.cpp
index 6175f59ef..536d64e4c 100644
--- a/fastboot/fastboot.cpp
+++ b/fastboot/fastboot.cpp
@@ -447,8 +447,11 @@ static void* load_bootable_image(const std::string& kernel, const std::string& r
     if (kdata == nullptr) die("cannot load '%s': %s", kernel.c_str(), strerror(errno));
 
     // Is this actually a boot image?
+    if (ksize < static_cast<int64_t>(sizeof(boot_img_hdr))) {
+        die("cannot load '%s': too short", kernel.c_str());
+    }
     if (!memcmp(kdata, BOOT_MAGIC, BOOT_MAGIC_SIZE)) {
-        if (cmdline) bootimg_set_cmdline((boot_img_hdr*) kdata, cmdline);
+        if (cmdline) bootimg_set_cmdline(reinterpret_cast<boot_img_hdr*>(kdata), cmdline);
 
         if (!ramdisk.empty()) die("cannot boot a boot.img *and* ramdisk");
author	Elliott Hughes <enh@google.com>	2018-01-18 16:08:24 -0800
committer	Elliott Hughes <enh@google.com>	2018-01-18 16:50:14 -0800
commit	aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d (patch)
tree	596501c8946ddc1f245a57089569148b8d1f34ce /fastboot/fastboot.cpp
parent	a1e27d342e05fc504ce7140463d17336c53a1af8 (diff)
download	core-aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d.tar.gz core-aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d.tar.bz2 core-aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d.zip