Nyaaori/rockbox
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Buflib add range checks blocks and crc_slot raise panic if out of range

Browse source 
Change-Id: I81df5c145a8cb003827a5423f484f70333e2472e
This commit is contained in:
William Wilgus 2018-12-14 04:22:16 -06:00
parent 929ea73cd6
commit 976831e667
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
firmware/buflib.c
View file

@ -248,9 +248,16 @@ static bool
move_block(struct buflib_context* ctx, union buflib_data* block, int shift) move_block(struct buflib_context* ctx, union buflib_data* block, int shift)
{ {
char* new_start; char* new_start;
if (block < ctx->buf_start || block > ctx->alloc_end)
buflib_panic(ctx, "buflib data corrupted %p", block);
union buflib_data *new_block, *tmp = block[1].handle, *crc_slot; union buflib_data *new_block, *tmp = block[1].handle, *crc_slot;
struct buflib_callbacks *ops = block[2].ops; struct buflib_callbacks *ops = block[2].ops;
crc_slot = (union buflib_data*)tmp->alloc - 1; crc_slot = (union buflib_data*)tmp->alloc - 1;
if (crc_slot < ctx->buf_start || crc_slot > ctx->alloc_end)
buflib_panic(ctx, "buflib metadata corrupted %p", crc_slot);
const int metadata_size = (crc_slot - block)*sizeof(union buflib_data); const int metadata_size = (crc_slot - block)*sizeof(union buflib_data);
uint32_t crc = crc_32((void *)block, metadata_size, 0xffffffff); uint32_t crc = crc_32((void *)block, metadata_size, 0xffffffff);