wacom-usb: Fix a timeout when parsing very corrupt firmware

Fixes https://oss-fuzz.com/testcase-detail/5797345020739584
2025-08-15 13:55:46 +00:00 · 2022-04-27 19:30:00 +01:00 · 2022-04-27 19:30:00 +01:00 · f5bbd744f5
commit f5bbd744f5
parent 89cfe97625
1 changed files with 11 additions and 0 deletions
--- a/plugins/wacom-usb/fu-wac-firmware.c
+++ b/plugins/wacom-usb/fu-wac-firmware.c
@ -19,6 +19,7 @@ struct _FuWacFirmware {
 G_DEFINE_TYPE(FuWacFirmware, fu_wac_firmware, FU_TYPE_FIRMWARE)

 #define FU_WAC_FIRMWARE_TOKENS_MAX 100000 /* lines */
+#define FU_WAC_FIRMWARE_SECTIONS_MAX 10

 typedef struct {
 	guint32 addr;
@ -71,6 +72,16 @@ fu_wac_firmware_tokenize_cb(GString *token, guint token_idx, gpointer user_data,
 					    token->len);
 				return FALSE;
 			}
+
+			/* sanity check */
+			if (helper->header_infos->len > FU_WAC_FIRMWARE_SECTIONS_MAX) {
+				g_set_error(error,
+					    FWUPD_ERROR,
+					    FWUPD_ERROR_INTERNAL,
+					    "too many metadata sections: %u",
+					    helper->header_infos->len);
+				return FALSE;
+			}
 			if (!fu_firmware_strparse_uint4_safe(token->str,
 							     token->len,
 							     5,