diff options
| author | Troy Kisky <troy.kisky@boundarydevices.com> | 2012-10-03 15:47:03 +0000 |
|---|---|---|
| committer | Stefano Babic <sbabic@denx.de> | 2012-10-20 17:13:01 +0200 |
| commit | 4d5fa985361f320c2c9830828bb52979927a4c0e (patch) | |
| tree | cc4bbc33fd21c171e11830e0e3194e65bd6a7042 | |
| parent | c2cfe57e7ce8ea8550cb9b8cc1f35053abe7815f (diff) | |
| download | olio-uboot-2014.01-4d5fa985361f320c2c9830828bb52979927a4c0e.tar.xz olio-uboot-2014.01-4d5fa985361f320c2c9830828bb52979927a4c0e.zip | |
imximage: check dcd_len as entries added
Before the len was checked after the entire file
was processed, so it could have already overflowed.
Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
| -rw-r--r-- | tools/imximage.c | 26 |
1 files changed, 11 insertions, 15 deletions
diff --git a/tools/imximage.c b/tools/imximage.c index 03a771667..c9170366b 100644 --- a/tools/imximage.c +++ b/tools/imximage.c @@ -71,6 +71,7 @@ static uint32_t imximage_version; static set_dcd_val_t set_dcd_val; static set_dcd_rst_t set_dcd_rst; static set_imx_hdr_t set_imx_hdr; +static uint32_t max_dcd_entries; static uint32_t get_cfg_value(char *token, char *name, int linenr) { @@ -170,13 +171,6 @@ static void set_dcd_rst_v1(struct imx_header *imxhdr, uint32_t dcd_len, { dcd_v1_t *dcd_v1 = &imxhdr->header.hdr_v1.dcd_table; - if (dcd_len > MAX_HW_CFG_SIZE_V1) { - fprintf(stderr, "Error: %s[%d] -" - "DCD table exceeds maximum size(%d)\n", - name, lineno, MAX_HW_CFG_SIZE_V1); - exit(EXIT_FAILURE); - } - dcd_v1->preamble.barker = DCD_BARKER; dcd_v1->preamble.length = dcd_len * sizeof(dcd_type_addr_data_t); } @@ -190,13 +184,6 @@ static void set_dcd_rst_v2(struct imx_header *imxhdr, uint32_t dcd_len, { dcd_v2_t *dcd_v2 = &imxhdr->header.hdr_v2.dcd_table; - if (dcd_len > MAX_HW_CFG_SIZE_V2) { - fprintf(stderr, "Error: %s[%d] -" - "DCD table exceeds maximum size(%d)\n", - name, lineno, MAX_HW_CFG_SIZE_V2); - exit(EXIT_FAILURE); - } - dcd_v2->header.tag = DCD_HEADER_TAG; dcd_v2->header.length = cpu_to_be16( dcd_len * sizeof(dcd_addr_data_t) + 8); @@ -295,11 +282,13 @@ static void set_hdr_func(struct imx_header *imxhdr) set_dcd_val = set_dcd_val_v1; set_dcd_rst = set_dcd_rst_v1; set_imx_hdr = set_imx_hdr_v1; + max_dcd_entries = MAX_HW_CFG_SIZE_V1; break; case IMXIMAGE_V2: set_dcd_val = set_dcd_val_v2; set_dcd_rst = set_dcd_rst_v2; set_imx_hdr = set_imx_hdr_v2; + max_dcd_entries = MAX_HW_CFG_SIZE_V2; break; default: err_imximage_version(imximage_version); @@ -426,8 +415,15 @@ static void parse_cfg_fld(struct imx_header *imxhdr, int32_t *cmd, value = get_cfg_value(token, name, lineno); (*set_dcd_val)(imxhdr, name, lineno, fld, value, *dcd_len); - if (fld == CFG_REG_VALUE) + if (fld == CFG_REG_VALUE) { (*dcd_len)++; + if (*dcd_len > max_dcd_entries) { + fprintf(stderr, "Error: %s[%d] -" + "DCD table exceeds maximum size(%d)\n", + name, lineno, max_dcd_entries); + exit(EXIT_FAILURE); + } + } break; default: break; |