From 2f85c24363a841307c80ea212e0ea6618b92cdb0 Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Fri, 7 Feb 2020 13:40:24 +0000 Subject: [PATCH] synaptics-rmi: Fix Coverity issue that is impossible to hit in reality The guint16 was promoted to (signed) int for the multiplication, which meant that the highest address possible was 0x7FFFFFFF not 0xFFFFFFFF. Which doesn't really matter in reality, as all addresses are much smaller than that now. --- plugins/synaptics-rmi/fu-synaptics-rmi-v7-device.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/plugins/synaptics-rmi/fu-synaptics-rmi-v7-device.c b/plugins/synaptics-rmi/fu-synaptics-rmi-v7-device.c index 4f341a001..8d5d6058f 100644 --- a/plugins/synaptics-rmi/fu-synaptics-rmi-v7-device.c +++ b/plugins/synaptics-rmi/fu-synaptics-rmi-v7-device.c @@ -465,7 +465,7 @@ fu_synaptics_rmi_device_read_flash_config_v7 (FuSynapticsRmiDevice *self, GError /* read back entire buffer in blocks */ res = fu_synaptics_rmi_device_read (self, f34->data_base + 0x5, - flash->block_size * flash->config_length, + (guint32) flash->block_size * (guint32) flash->config_length, error); if (res == NULL) { g_prefix_error (error, "failed to read: "); @@ -533,6 +533,18 @@ fu_synaptics_rmi_v7_device_setup (FuSynapticsRmiDevice *self, GError **error) flash->config_length = fu_common_read_uint16 (f34_dataX->data + 0x0d, G_LITTLE_ENDIAN); flash->payload_length = fu_common_read_uint16 (f34_dataX->data + 0x0f, G_LITTLE_ENDIAN); flash->build_id = fu_common_read_uint32 (f34_dataX->data + 0x02, G_LITTLE_ENDIAN); + + /* sanity check */ + if ((guint32) flash->block_size * (guint32) flash->config_length > G_MAXUINT16) { + g_set_error (error, + FWUPD_ERROR, + FWUPD_ERROR_NOT_SUPPORTED, + "block size 0x%x or config length 0x%x invalid", + flash->block_size, flash->config_length); + return FALSE; + } + + /* read flash config */ return fu_synaptics_rmi_device_read_flash_config_v7 (self, error); }