diff options
| author | Treehugger Robot <treehugger-gerrit@google.com> | 2018-01-19 22:39:14 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2018-01-19 22:39:14 +0000 |
| commit | b6d7f2655d19f8de30b3957a12715afddf7fc522 (patch) | |
| tree | f2fe5b7f88a73353ed6f44fe14371ead18143d74 /fastboot | |
| parent | 0f2ed7d39820eb1af7b4db4c99065e2ae364ebb6 (diff) | |
| parent | aaa3b6bbf2e8bf5949a3b9af27c0a458fe62828d (diff) | |
| download | system_core-b6d7f2655d19f8de30b3957a12715afddf7fc522.tar.gz system_core-b6d7f2655d19f8de30b3957a12715afddf7fc522.tar.bz2 system_core-b6d7f2655d19f8de30b3957a12715afddf7fc522.zip | |
Merge "Fix fastboot memory corruption."
Diffstat (limited to 'fastboot')
| -rw-r--r-- | fastboot/bootimg_utils.cpp | 8 | ||||
| -rw-r--r-- | fastboot/fastboot.cpp | 5 |
2 files changed, 9 insertions, 4 deletions
diff --git a/fastboot/bootimg_utils.cpp b/fastboot/bootimg_utils.cpp index c1028ef3c..62a26b30a 100644 --- a/fastboot/bootimg_utils.cpp +++ b/fastboot/bootimg_utils.cpp @@ -28,13 +28,15 @@ #include "bootimg_utils.h" +#include "fastboot.h" + #include <stdio.h> #include <stdlib.h> #include <string.h> -void bootimg_set_cmdline(boot_img_hdr* h, const char* cmdline) -{ - strcpy((char*) h->cmdline, cmdline); +void bootimg_set_cmdline(boot_img_hdr* h, const char* cmdline) { + if (strlen(cmdline) >= sizeof(h->cmdline)) die("command line too large: %zu", strlen(cmdline)); + strcpy(reinterpret_cast<char*>(h->cmdline), cmdline); } boot_img_hdr* mkbootimg(void* kernel, int64_t kernel_size, off_t kernel_offset, diff --git a/fastboot/fastboot.cpp b/fastboot/fastboot.cpp index 6175f59ef..536d64e4c 100644 --- a/fastboot/fastboot.cpp +++ b/fastboot/fastboot.cpp @@ -447,8 +447,11 @@ static void* load_bootable_image(const std::string& kernel, const std::string& r if (kdata == nullptr) die("cannot load '%s': %s", kernel.c_str(), strerror(errno)); // Is this actually a boot image? + if (ksize < static_cast<int64_t>(sizeof(boot_img_hdr))) { + die("cannot load '%s': too short", kernel.c_str()); + } if (!memcmp(kdata, BOOT_MAGIC, BOOT_MAGIC_SIZE)) { - if (cmdline) bootimg_set_cmdline((boot_img_hdr*) kdata, cmdline); + if (cmdline) bootimg_set_cmdline(reinterpret_cast<boot_img_hdr*>(kdata), cmdline); if (!ramdisk.empty()) die("cannot boot a boot.img *and* ramdisk"); |