flash: Fix flash_range_ok

With parameter offset=0x7f000000 size_req=7f7f0000, flash_range_ok fails to notice that the offset/size is invalid, as offset+size overflows and becomes negative. BRANCH=none BUG=chromium:855951 TEST=make buildfuzztests -j echo AxMAAH8AAAB/AAB/f39/Bg== | base64 -d > crash ASAN_OPTIONS="log_path=stderr" \ build/host/host_command_fuzz/host_command_fuzz.exe ./crash Change-Id: I9e4c752bee2695a87e69c2ff8494af4e9bffc9a4 Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1116198 Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
author: Nicolas Boichat <drinkcat@chromium.org> 2018-06-23 17:02:34 +0800
committer: chrome-bot <chrome-bot@chromium.org> 2018-06-27 22:07:25 -0700
commit: 29bcf334faf89986816127690a9c99459d74a801 (patch)
tree: 7417397f28aa1f7cd79e5af96d6923a32bfb1541
parent: f7d94e0c3e6d5c2f0a5424c9563ea33038e7a0a4 (diff)
download: chrome-ec-29bcf334faf89986816127690a9c99459d74a801.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/common/flash.c b/common/flash.c
index 6746f178ef..f52023dbb9 100644
--- a/common/flash.c
+++ b/common/flash.c
@@ -159,6 +159,8 @@ int flash_bank_count(int offset, int size)
 int flash_range_ok(int offset, int size_req, int align)
 {
 	if (offset < 0 || size_req < 0 ||
+	    offset > CONFIG_FLASH_SIZE ||
+	    size_req > CONFIG_FLASH_SIZE ||
 	    offset + size_req > CONFIG_FLASH_SIZE ||
 	    (offset | size_req) & (align - 1))
 		return 0;  /* Invalid range */
author	Nicolas Boichat <drinkcat@chromium.org>	2018-06-23 17:02:34 +0800
committer	chrome-bot <chrome-bot@chromium.org>	2018-06-27 22:07:25 -0700
commit	29bcf334faf89986816127690a9c99459d74a801 (patch)
tree	7417397f28aa1f7cd79e5af96d6923a32bfb1541
parent	f7d94e0c3e6d5c2f0a5424c9563ea33038e7a0a4 (diff)
download	chrome-ec-29bcf334faf89986816127690a9c99459d74a801.tar.gz