Skip to content

Commit 3053c2e

Browse files
lrgirdwolrgirdwo
committed
rimage: avoid reading past the buffer scanning for the marker
The marker scan read a 32-bit word at each offset up to the last byte, reading a few bytes past the buffer at the tail. Stop once fewer than a word remains, in both scan sites. Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>
1 parent 5509713 commit 3053c2e

1 file changed

Lines changed: 2 additions & 2 deletions

File tree

tools/rimage/src/manifest.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1676,7 +1676,7 @@ int verify_image(struct image *image)
16761676
ret = file_error("unable to read whole file", image->verify_file);
16771677
goto out;
16781678
}
1679-
for (i = 0; i < size; i += sizeof(uint32_t)) {
1679+
for (i = 0; i + sizeof(uint32_t) <= size; i += sizeof(uint32_t)) {
16801680
/* find CSE header marker "$CPD" */
16811681
if (*(uint32_t *)(buffer + i) == CSE_HEADER_MAKER) {
16821682
image->fw_image = buffer + i;
@@ -1733,7 +1733,7 @@ int resign_image(struct image *image)
17331733

17341734
fclose(in_file);
17351735

1736-
for (i = 0; i < size; i += sizeof(uint32_t)) {
1736+
for (i = 0; i + sizeof(uint32_t) <= size; i += sizeof(uint32_t)) {
17371737
/* find CSE header marker "$CPD" */
17381738
if (*(uint32_t *)(buffer + i) == CSE_HEADER_MAKER) {
17391739
image->fw_image = buffer + i;

0 commit comments

Comments
 (0)