Commit 3474098c authored by anonymous's avatar anonymous
Browse files

Fix possible OOB write

parent 4d73f422
......@@ -95,6 +95,7 @@ int32_t diff_loadcore(uint8_t *addr, uint32_t vmsize, char *fname,
return -1;
}
if (size > vmsize) {
BD_DEBUG(DBG_BDPLUS,"[diff] Diff size larger than vmsize\n");
fclose(fd);
return -2; // Safety
}
......@@ -114,6 +115,11 @@ int32_t diff_loadcore(uint8_t *addr, uint32_t vmsize, char *fname,
start = FETCH4((uint8_t*)&start);
length = FETCH4((uint8_t*)&length);
if ((uint64_t)start + length > (uint64_t)vmsize) {
BD_DEBUG(DBG_BDPLUS,"[diff] Diff skipping load (would exceed vmsize)\n");
fclose(fd);
return -2;
}
if (fread(&addr[ start ], length, 1, fd) != 1) goto fail;
} // currdiff
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment