diff options
author | William Wilgus <me.theuser@yahoo.com> | 2018-12-14 04:22:16 -0600 |
---|---|---|
committer | William Wilgus <me.theuser@yahoo.com> | 2019-01-04 06:47:20 +0100 |
commit | 976831e6674db98cc7992db1479afff9d2877c81 (patch) | |
tree | 0c3e107ee565135a47ba1c93ee809bc6a656bd0f | |
parent | 929ea73cd6052c9171d5884f9469ac2ba04af495 (diff) | |
download | rockbox-976831e.tar.gz rockbox-976831e.zip |
Buflib add range checks blocks and crc_slot raise panic if out of range
Change-Id: I81df5c145a8cb003827a5423f484f70333e2472e
-rw-r--r-- | firmware/buflib.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/firmware/buflib.c b/firmware/buflib.c index 06b52ca934..f909ab8333 100644 --- a/firmware/buflib.c +++ b/firmware/buflib.c @@ -248,9 +248,16 @@ static bool move_block(struct buflib_context* ctx, union buflib_data* block, int shift) { char* new_start; + + if (block < ctx->buf_start || block > ctx->alloc_end) + buflib_panic(ctx, "buflib data corrupted %p", block); + union buflib_data *new_block, *tmp = block[1].handle, *crc_slot; struct buflib_callbacks *ops = block[2].ops; crc_slot = (union buflib_data*)tmp->alloc - 1; + if (crc_slot < ctx->buf_start || crc_slot > ctx->alloc_end) + buflib_panic(ctx, "buflib metadata corrupted %p", crc_slot); + const int metadata_size = (crc_slot - block)*sizeof(union buflib_data); uint32_t crc = crc_32((void *)block, metadata_size, 0xffffffff); |