summaryrefslogtreecommitdiffstats
path: root/firmware
diff options
context:
space:
mode:
authorWilliam Wilgus <me.theuser@yahoo.com>2018-12-14 04:22:16 -0600
committerWilliam Wilgus <me.theuser@yahoo.com>2019-01-04 06:47:20 +0100
commit976831e6674db98cc7992db1479afff9d2877c81 (patch)
tree0c3e107ee565135a47ba1c93ee809bc6a656bd0f /firmware
parent929ea73cd6052c9171d5884f9469ac2ba04af495 (diff)
downloadrockbox-976831e6674db98cc7992db1479afff9d2877c81.tar.gz
rockbox-976831e6674db98cc7992db1479afff9d2877c81.tar.bz2
rockbox-976831e6674db98cc7992db1479afff9d2877c81.zip
Buflib add range checks blocks and crc_slot raise panic if out of range
Change-Id: I81df5c145a8cb003827a5423f484f70333e2472e
Diffstat (limited to 'firmware')
-rw-r--r--firmware/buflib.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/firmware/buflib.c b/firmware/buflib.c
index 06b52ca934..f909ab8333 100644
--- a/firmware/buflib.c
+++ b/firmware/buflib.c
@@ -248,9 +248,16 @@ static bool
move_block(struct buflib_context* ctx, union buflib_data* block, int shift)
{
char* new_start;
+
+ if (block < ctx->buf_start || block > ctx->alloc_end)
+ buflib_panic(ctx, "buflib data corrupted %p", block);
+
union buflib_data *new_block, *tmp = block[1].handle, *crc_slot;
struct buflib_callbacks *ops = block[2].ops;
crc_slot = (union buflib_data*)tmp->alloc - 1;
+ if (crc_slot < ctx->buf_start || crc_slot > ctx->alloc_end)
+ buflib_panic(ctx, "buflib metadata corrupted %p", crc_slot);
+
const int metadata_size = (crc_slot - block)*sizeof(union buflib_data);
uint32_t crc = crc_32((void *)block, metadata_size, 0xffffffff);