diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2018-06-23 17:02:34 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-06-27 22:07:25 -0700 |
commit | 29bcf334faf89986816127690a9c99459d74a801 (patch) | |
tree | 7417397f28aa1f7cd79e5af96d6923a32bfb1541 | |
parent | f7d94e0c3e6d5c2f0a5424c9563ea33038e7a0a4 (diff) | |
download | chrome-ec-29bcf334faf89986816127690a9c99459d74a801.tar.gz |
flash: Fix flash_range_ok
With parameter offset=0x7f000000 size_req=7f7f0000, flash_range_ok
fails to notice that the offset/size is invalid, as offset+size
overflows and becomes negative.
BRANCH=none
BUG=chromium:855951
TEST=make buildfuzztests -j
echo AxMAAH8AAAB/AAB/f39/Bg== | base64 -d > crash
ASAN_OPTIONS="log_path=stderr" \
build/host/host_command_fuzz/host_command_fuzz.exe ./crash
Change-Id: I9e4c752bee2695a87e69c2ff8494af4e9bffc9a4
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1116198
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
-rw-r--r-- | common/flash.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/common/flash.c b/common/flash.c index 6746f178ef..f52023dbb9 100644 --- a/common/flash.c +++ b/common/flash.c @@ -159,6 +159,8 @@ int flash_bank_count(int offset, int size) int flash_range_ok(int offset, int size_req, int align) { if (offset < 0 || size_req < 0 || + offset > CONFIG_FLASH_SIZE || + size_req > CONFIG_FLASH_SIZE || offset + size_req > CONFIG_FLASH_SIZE || (offset | size_req) & (align - 1)) return 0; /* Invalid range */ |