summaryrefslogtreecommitdiff
path: root/lib/libavb/avb_descriptor.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/libavb/avb_descriptor.c')
-rw-r--r--lib/libavb/avb_descriptor.c11
1 files changed, 9 insertions, 2 deletions
diff --git a/lib/libavb/avb_descriptor.c b/lib/libavb/avb_descriptor.c
index fb0b305f2c..9f03b9777a 100644
--- a/lib/libavb/avb_descriptor.c
+++ b/lib/libavb/avb_descriptor.c
@@ -72,7 +72,11 @@ bool avb_descriptor_foreach(const uint8_t* image_data,
const AvbDescriptor* dh = (const AvbDescriptor*)p;
avb_assert_aligned(dh);
uint64_t nb_following = avb_be64toh(dh->num_bytes_following);
- uint64_t nb_total = sizeof(AvbDescriptor) + nb_following;
+ uint64_t nb_total = 0;
+ if (!avb_safe_add(&nb_total, sizeof(AvbDescriptor), nb_following)) {
+ avb_error("Invalid descriptor length.\n");
+ goto out;
+ }
if ((nb_total & 7) != 0) {
avb_error("Invalid descriptor length.\n");
@@ -88,7 +92,10 @@ bool avb_descriptor_foreach(const uint8_t* image_data,
goto out;
}
- p += nb_total;
+ if (!avb_safe_add_to((uint64_t*)(&p), nb_total)) {
+ avb_error("Invalid descriptor length.\n");
+ goto out;
+ }
}
ret = true;
View Lorry Controller Status