Mirrors/u-boot
2
0
Fork 0
mirror of https://github.com/AsahiLinux/u-boot synced 2024-11-10 07:04:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

ifwitool: Fix member access

Browse source 
On a second and third look, a recent patch seems to be writing to the
wrong place - updating offsets from the address of the pointer instead
of what the pointer points to.

Fix it.

Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 2d1b2ac13f ("tool: ifwitool: Fix buffer overflow")
Acked-by: Sean Anderson <seanga2@gmail.com>
This commit is contained in:
Simon Glass 2023-01-18 13:13:17 -07:00 committed by Tom Rini
parent e71505fc98
commit a092f1e906
1 changed files with 20 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
tools/ifwitool.c
View file

@ -721,7 +721,7 @@ static size_t read_member(void *src, size_t offset, size_t size_bytes,
*/
static size_t fix_member(void *data, size_t offset, size_t size_bytes)
{
uint8_t *src = (uint8_t *)data + offset;
void *src = (uint8_t *)data + offset;
switch (size_bytes) {
case 1:
@ -1441,20 +1441,20 @@ static void bpdt_fixup_write_buffer(struct buffer *buf)
size_t offset = 0;
offset = fix_member(&s, offset, sizeof(h->signature));
offset = fix_member(&s, offset, sizeof(h->descriptor_count));
offset = fix_member(&s, offset, sizeof(h->bpdt_version));
offset = fix_member(&s, offset, sizeof(h->xor_redundant_block));
offset = fix_member(&s, offset, sizeof(h->ifwi_version));
offset = fix_member(&s, offset, sizeof(h->fit_tool_version));
offset = fix_member(s, offset, sizeof(h->signature));
offset = fix_member(s, offset, sizeof(h->descriptor_count));
offset = fix_member(s, offset, sizeof(h->bpdt_version));
offset = fix_member(s, offset, sizeof(h->xor_redundant_block));
offset = fix_member(s, offset, sizeof(h->ifwi_version));
offset = fix_member(s, offset, sizeof(h->fit_tool_version));
uint32_t i;
for (i = 0; i < count; i++) {
offset = fix_member(&s, offset, sizeof(e[i].type));
offset = fix_member(&s, offset, sizeof(e[i].flags));
offset = fix_member(&s, offset, sizeof(e[i].offset));
offset = fix_member(&s, offset, sizeof(e[i].size));
offset = fix_member(s, offset, sizeof(e[i].type));
offset = fix_member(s, offset, sizeof(e[i].flags));
offset = fix_member(s, offset, sizeof(e[i].offset));
offset = fix_member(s, offset, sizeof(e[i].size));
}
}
@ -1654,21 +1654,21 @@ static void subpart_dir_fixup_write_buffer(struct buffer *buf)
size_t count = h->num_entries;
size_t offset = 0;
offset = fix_member(&s, offset, sizeof(h->marker));
offset = fix_member(&s, offset, sizeof(h->num_entries));
offset = fix_member(&s, offset, sizeof(h->header_version));
offset = fix_member(&s, offset, sizeof(h->entry_version));
offset = fix_member(&s, offset, sizeof(h->header_length));
offset = fix_member(&s, offset, sizeof(h->checksum));
offset = fix_member(s, offset, sizeof(h->marker));
offset = fix_member(s, offset, sizeof(h->num_entries));
offset = fix_member(s, offset, sizeof(h->header_version));
offset = fix_member(s, offset, sizeof(h->entry_version));
offset = fix_member(s, offset, sizeof(h->header_length));
offset = fix_member(s, offset, sizeof(h->checksum));
offset += sizeof(h->name);
uint32_t i;
for (i = 0; i < count; i++) {
offset += sizeof(e[i].name);
offset = fix_member(&s, offset, sizeof(e[i].offset));
offset = fix_member(&s, offset, sizeof(e[i].length));
offset = fix_member(&s, offset, sizeof(e[i].rsvd));
offset = fix_member(s, offset, sizeof(e[i].offset));
offset = fix_member(s, offset, sizeof(e[i].length));
offset = fix_member(s, offset, sizeof(e[i].rsvd));
}
}