Fix OOB in rmi4utils firmware image parsing Test: Verified compilation against ryu-userdebug Bug: 33917273 Change-Id: I6a56e287c77bcc97b8b5a5485d7285772f682204

commit: d45cae258a3d831cd035ccecb3daa763d26346df [log] [tgz]
author: Robb Glasser <rglasser@google.com> Tue Feb 14 14:20:33 2017 -0800
committer: Robb Glasser <rglasser@google.com> Tue Feb 14 14:24:10 2017 -0800
tree: e1d2a64b1f64d1d7a7612b5d27a066167e2643a9
parent: 40eb2d785d3e367c01fc2a3d53820550e7f66739 [diff]
diff --git a/rmi4update/firmware_image.cpp b/rmi4update/firmware_image.cpp
index 8acc2d6..babce56 100644
--- a/rmi4update/firmware_image.cpp
+++ b/rmi4update/firmware_image.cpp

@@ -87,6 +87,12 @@
 	m_io = m_memBlock[RMI_IMG_IO_OFFSET];
 	m_bootloaderVersion = m_memBlock[RMI_IMG_BOOTLOADER_VERSION_OFFSET];
 	m_firmwareSize = extract_long(&m_memBlock[RMI_IMG_IMAGE_SIZE_OFFSET]);
+
+	if ((unsigned long)m_imageSize - RMI_IMG_FW_OFFSET - 1 < m_firmwareSize) {
+		fprintf(stderr, "Supplied firmware image size too large, goes out of image file size bound\n");
+		return UPDATE_FAIL_VERIFY_FIRMWARE_SIZE;
+	}
+
 	m_configSize = extract_long(&m_memBlock[RMI_IMG_CONFIG_SIZE_OFFSET]);
 	if (m_io == 1) {
 		m_firmwareBuildID = extract_long(&m_memBlock[RMI_IMG_FW_BUILD_ID_OFFSET]);
commit	d45cae258a3d831cd035ccecb3daa763d26346df	[log] [tgz]
author	Robb Glasser <rglasser@google.com>	Tue Feb 14 14:20:33 2017 -0800
committer	Robb Glasser <rglasser@google.com>	Tue Feb 14 14:24:10 2017 -0800
tree	e1d2a64b1f64d1d7a7612b5d27a066167e2643a9
parent	40eb2d785d3e367c01fc2a3d53820550e7f66739 [diff]