elanfp: Add some sanity checks to the firmware parser

Fixes https://oss-fuzz.com/testcase-detail/6107550261575680
This commit is contained in:
Richard Hughes 2021-11-22 22:43:00 +00:00
parent 93aae762a6
commit e1e212553b

View File

@ -52,6 +52,7 @@ fu_elanfp_firmware_parse(FuFirmware *firmware,
gsize bufsz; gsize bufsz;
guint32 tag = 0; guint32 tag = 0;
gsize offset = 0x00; gsize offset = 0x00;
guint img_cnt = 0;
/* check the tag */ /* check the tag */
buf = g_bytes_get_data(fw, &bufsz); buf = g_bytes_get_data(fw, &bufsz);
@ -80,6 +81,15 @@ fu_elanfp_firmware_parse(FuFirmware *firmware,
g_autoptr(GBytes) blob = NULL; g_autoptr(GBytes) blob = NULL;
g_autoptr(FuFirmware) img = NULL; g_autoptr(FuFirmware) img = NULL;
/* check sanity */
if (img_cnt++ > 256) {
g_set_error_literal(error,
FWUPD_ERROR,
FWUPD_ERROR_NOT_SUPPORTED,
"too many images detected");
return FALSE;
}
/* type, reserved, start-addr, len */ /* type, reserved, start-addr, len */
if (!fu_common_read_uint32_safe(buf, if (!fu_common_read_uint32_safe(buf,
bufsz, bufsz,
@ -89,6 +99,17 @@ fu_elanfp_firmware_parse(FuFirmware *firmware,
error)) error))
return FALSE; return FALSE;
/* check not already added */
img = fu_firmware_get_image_by_idx(firmware, fwtype, NULL);
if (img != NULL) {
g_set_error(error,
FWUPD_ERROR,
FWUPD_ERROR_NOT_SUPPORTED,
"already parsed image with fwtype 0x%x",
fwtype);
return FALSE;
}
/* done */ /* done */
if (fwtype == FU_ELANTP_FIRMWARE_IDX_END) if (fwtype == FU_ELANTP_FIRMWARE_IDX_END)
break; break;
@ -121,6 +142,14 @@ fu_elanfp_firmware_parse(FuFirmware *firmware,
G_LITTLE_ENDIAN, G_LITTLE_ENDIAN,
error)) error))
return FALSE; return FALSE;
if (length == 0) {
g_set_error(error,
FWUPD_ERROR,
FWUPD_ERROR_NOT_SUPPORTED,
"zero size fwtype 0x%x not supported",
fwtype);
return FALSE;
}
blob = fu_common_bytes_new_offset(fw, start_addr, length, error); blob = fu_common_bytes_new_offset(fw, start_addr, length, error);
if (blob == NULL) if (blob == NULL)
return FALSE; return FALSE;