proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-08-14 18:49:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

synaptics-rmi: Limit the number of containers to a sane value

Browse Source 
Using hongfuzz we managed to build a valid firmware with 246625043 containers,
which took over 60 seconds to parse.
This commit is contained in:
Richard Hughes 2021-02-10 12:37:53 +00:00
parent 84176c9e1a
commit a45d807a08
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
plugins/synaptics-rmi/fu-synaptics-rmi-firmware.c
View File

@ -49,6 +49,7 @@ G_DEFINE_TYPE (FuSynapticsRmiFirmware, fu_synaptics_rmi_firmware, FU_TYPE_FIRMWA
#define RMI_IMG_FW_OFFSET 0x100 #define RMI_IMG_FW_OFFSET 0x100
#define RMI_IMG_V10_CNTR_ADDR_OFFSET 0x0c #define RMI_IMG_V10_CNTR_ADDR_OFFSET 0x0c
#define RMI_IMG_MAX_CONTAINERS 1024
typedef struct __attribute__((packed)) { typedef struct __attribute__((packed)) {
guint32 content_checksum; guint32 content_checksum;
@ -224,6 +225,14 @@ fu_synaptics_rmi_firmware_parse_v10 (FuFirmware *firmware, GBytes *fw, GError **
return FALSE; return FALSE;
} }
cntrs_len = GUINT32_FROM_LE(desc.content_length) / 4; cntrs_len = GUINT32_FROM_LE(desc.content_length) / 4;
if (cntrs_len > RMI_IMG_MAX_CONTAINERS) {
g_set_error (error,
FWUPD_ERROR,
FWUPD_ERROR_INVALID_FILE,
"too many containers in file [%u], maximum is %u",
cntrs_len, (guint) RMI_IMG_MAX_CONTAINERS);
return FALSE;
}
g_debug ("offset=0x%x (cntrs_len=%u)", offset, cntrs_len); g_debug ("offset=0x%x (cntrs_len=%u)", offset, cntrs_len);
for (guint32 i = 0; i < cntrs_len; i++) { for (guint32 i = 0; i < cntrs_len; i++) {