core: fix possible overflow in shdr_alloc_and_copy()

Prior to this patch, if SHDR_GET_SIZE() overflows it will return 0 and further down in the function lead to an out-of-bounds access. So fix this with an explicit test before using shdr_size in shdr_alloc_and_copy(). Fixes: 064663e ("core: crypto: add struct shdr helper functions") Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
gagachang · May 22, 2024 · 6b5d112 · 6b5d112
1 parent 78444d3
commit 6b5d112
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/crypto/signed_hdr.c b/core/crypto/signed_hdr.c
@@ -29,7 +29,7 @@ struct shdr *shdr_alloc_and_copy(size_t offs, const void *img, size_t img_size)
 		return NULL;
 
 	shdr_size = SHDR_GET_SIZE((const struct shdr *)(img_va + offs));
-	if (ADD_OVERFLOW(offs, shdr_size, &end) || end > img_size)
+	if (!shdr_size || ADD_OVERFLOW(offs, shdr_size, &end) || end > img_size)
 		return NULL;
 
 	if (ADD_OVERFLOW(img_va, shdr_size, &tmp))