From a45d807a08f46749b023e30dec1ced5e75b854b6 Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Wed, 10 Feb 2021 12:37:53 +0000 Subject: [PATCH] synaptics-rmi: Limit the number of containers to a sane value Using hongfuzz we managed to build a valid firmware with 246625043 containers, which took over 60 seconds to parse. --- plugins/synaptics-rmi/fu-synaptics-rmi-firmware.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/plugins/synaptics-rmi/fu-synaptics-rmi-firmware.c b/plugins/synaptics-rmi/fu-synaptics-rmi-firmware.c index 3dd720c8a..2d19430fb 100644 --- a/plugins/synaptics-rmi/fu-synaptics-rmi-firmware.c +++ b/plugins/synaptics-rmi/fu-synaptics-rmi-firmware.c @@ -49,6 +49,7 @@ G_DEFINE_TYPE (FuSynapticsRmiFirmware, fu_synaptics_rmi_firmware, FU_TYPE_FIRMWA #define RMI_IMG_FW_OFFSET 0x100 #define RMI_IMG_V10_CNTR_ADDR_OFFSET 0x0c +#define RMI_IMG_MAX_CONTAINERS 1024 typedef struct __attribute__((packed)) { guint32 content_checksum; @@ -224,6 +225,14 @@ fu_synaptics_rmi_firmware_parse_v10 (FuFirmware *firmware, GBytes *fw, GError ** return FALSE; } cntrs_len = GUINT32_FROM_LE(desc.content_length) / 4; + if (cntrs_len > RMI_IMG_MAX_CONTAINERS) { + g_set_error (error, + FWUPD_ERROR, + FWUPD_ERROR_INVALID_FILE, + "too many containers in file [%u], maximum is %u", + cntrs_len, (guint) RMI_IMG_MAX_CONTAINERS); + return FALSE; + } g_debug ("offset=0x%x (cntrs_len=%u)", offset, cntrs_len); for (guint32 i = 0; i < cntrs_len; i++) {