trivial: Add more fuzzing alignment checks

In reality these are not super interesting as they only happen on `->write()` and not `->parse()`. In other news, the fuzzer now appreciates how critical the alignment is, which is probably a good thing generally. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40088
2025-07-27 07:52:24 +00:00 · 2021-10-18 19:19:47 +01:00 · 2021-10-18 19:19:47 +01:00 · 27e40c3025
commit 27e40c3025
parent a5ef3629d4
3 changed files with 30 additions and 0 deletions
--- a/libfwupdplugin/fu-efi-firmware-volume.c
+++ b/libfwupdplugin/fu-efi-firmware-volume.c
@ -301,6 +301,16 @@ fu_efi_firmware_volume_write(FuFirmware *firmware, GError **error)
 	g_autoptr(GBytes) img_blob = NULL;
 	g_autoptr(FuFirmware) img = NULL;

+	/* sanity check */
+	if (fu_firmware_get_alignment(firmware) > FU_FIRMWARE_ALIGNMENT_1M) {
+		g_set_error(error,
+			    FWUPD_ERROR,
+			    FWUPD_ERROR_INVALID_FILE,
+			    "alignment invalid, got 0x%02x",
+			    fu_firmware_get_alignment(firmware));
+		return NULL;
+	}
+
 	/* zero vector */
 	for (guint i = 0; i < 0x10; i++)
 		fu_byte_array_append_uint8(buf, 0x0);
--- a/libfwupdplugin/fu-ifd-image.c
+++ b/libfwupdplugin/fu-ifd-image.c
@ -75,6 +75,16 @@ fu_ifd_image_write(FuFirmware *firmware, GError **error)
 	g_autoptr(GByteArray) buf = g_byte_array_new();
 	g_autoptr(GPtrArray) images = fu_firmware_get_images(firmware);

+	/* sanity check */
+	if (fu_firmware_get_alignment(firmware) > FU_FIRMWARE_ALIGNMENT_1M) {
+		g_set_error(error,
+			    FWUPD_ERROR,
+			    FWUPD_ERROR_INVALID_FILE,
+			    "alignment invalid, got 0x%02x",
+			    fu_firmware_get_alignment(firmware));
+		return NULL;
+	}
+
 	/* add each volume */
 	if (images->len > 0) {
 		for (guint i = 0; i < images->len; i++) {
--- a/plugins/bcm57xx/fu-bcm57xx-stage1-image.c
+++ b/plugins/bcm57xx/fu-bcm57xx-stage1-image.c
@ -102,6 +102,16 @@ fu_bcm57xx_stage1_image_write(FuFirmware *firmware, GError **error)
 	g_autoptr(GByteArray) buf = g_byte_array_new();
 	g_autoptr(GBytes) fw_nocrc = NULL;

+	/* sanity check */
+	if (fu_firmware_get_alignment(firmware) > FU_FIRMWARE_ALIGNMENT_1M) {
+		g_set_error(error,
+			    FWUPD_ERROR,
+			    FWUPD_ERROR_INVALID_FILE,
+			    "alignment invalid, got 0x%02x",
+			    fu_firmware_get_alignment(firmware));
+		return NULL;
+	}
+
 	/* the CRC-less payload */
 	fw_nocrc = fu_firmware_get_bytes(firmware, error);
 	if (fw_nocrc == NULL)