commit 2a60cecfd898cecdde40ea071d02e578715c6245
author Elliott Hughes <enh@google.com> Fri Jan 19 22:52:46 2018 +0000
committer android-build-merger <android-build-merger@google.com> Fri Jan 19 22:52:46 2018 +0000
tree 762985efd3f7e20eb0010b03112cde5aa06febb5
parent 8b77abd09a25098e863f119f3d0dda358fd34811
parent f5451dbec8201b583188193be59e774835d042e7

Merge "Fix fastboot memory corruption." am: b6d7f2655d am: 944cc0d002
am: 8d92bb14f2

Change-Id: I0a70020100fa5aae7fcfd98963da855b9238c4ce

fastboot/bootimg_utils.cpp

diff --git a/fastboot/bootimg_utils.cpp b/fastboot/bootimg_utils.cpp
index c1028ef..62a26b3 100644
--- a/fastboot/bootimg_utils.cpp
+++ b/fastboot/bootimg_utils.cpp
@@ -28,13 +28,15 @@
 
 #include "bootimg_utils.h"
 
+#include "fastboot.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 
-void bootimg_set_cmdline(boot_img_hdr* h, const char* cmdline)
-{
-    strcpy((char*) h->cmdline, cmdline);
+void bootimg_set_cmdline(boot_img_hdr* h, const char* cmdline) {
+    if (strlen(cmdline) >= sizeof(h->cmdline)) die("command line too large: %zu", strlen(cmdline));
+    strcpy(reinterpret_cast<char*>(h->cmdline), cmdline);
 }
 
 boot_img_hdr* mkbootimg(void* kernel, int64_t kernel_size, off_t kernel_offset,

fastboot/fastboot.cpp

diff --git a/fastboot/fastboot.cpp b/fastboot/fastboot.cpp
index 6175f59..536d64e 100644
--- a/fastboot/fastboot.cpp
+++ b/fastboot/fastboot.cpp
@@ -447,8 +447,11 @@
     if (kdata == nullptr) die("cannot load '%s': %s", kernel.c_str(), strerror(errno));
 
     // Is this actually a boot image?
+    if (ksize < static_cast<int64_t>(sizeof(boot_img_hdr))) {
+        die("cannot load '%s': too short", kernel.c_str());
+    }
     if (!memcmp(kdata, BOOT_MAGIC, BOOT_MAGIC_SIZE)) {
-        if (cmdline) bootimg_set_cmdline((boot_img_hdr*) kdata, cmdline);
+        if (cmdline) bootimg_set_cmdline(reinterpret_cast<boot_img_hdr*>(kdata), cmdline);
 
         if (!ramdisk.empty()) die("cannot boot a boot.img *and* ramdisk");