From a5de6f02481cdf24aa6c2f14b81dc86f63b441c6 Mon Sep 17 00:00:00 2001 From: Richard Hughes Date: Fri, 2 Jul 2021 19:51:54 +0100 Subject: [PATCH] acpi-phat: Prevent a corrupt PHAT table from allocating ~4GB of memory Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35761 --- plugins/acpi-phat/fu-acpi-phat-health-record.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/plugins/acpi-phat/fu-acpi-phat-health-record.c b/plugins/acpi-phat/fu-acpi-phat-health-record.c index 84aaecf1f..dd2d0b421 100644 --- a/plugins/acpi-phat/fu-acpi-phat-health-record.c +++ b/plugins/acpi-phat/fu-acpi-phat-health-record.c @@ -88,6 +88,14 @@ fu_acpi_phat_health_record_parse (FuFirmware *firmware, } else { ubufsz = dataoff - 28; } + if (ubufsz > bufsz) { + g_set_error (error, + G_IO_ERROR, + G_IO_ERROR_INVALID_DATA, + "device path too large: 0x%x", + (guint) ubufsz); + return FALSE; + } /* check this is an even number of bytes */ if (ubufsz % 2 != 0) {