From f81a3e671e2c48e1615552e5daedaa1cacdd9407 Mon Sep 17 00:00:00 2001
From: Richard Hughes <richard@hughsie.com>
Date: Thu, 28 Apr 2022 09:30:56 +0100
Subject: [PATCH] synaptics-mst: Read the fw-size in a more safe way

---
 plugins/synaptics-mst/fu-synaptics-mst-device.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/plugins/synaptics-mst/fu-synaptics-mst-device.c b/plugins/synaptics-mst/fu-synaptics-mst-device.c
index 7f64b6765..7146b50fe 100644
--- a/plugins/synaptics-mst/fu-synaptics-mst-device.c
+++ b/plugins/synaptics-mst/fu-synaptics-mst-device.c
@@ -525,7 +525,7 @@ fu_synaptics_mst_device_update_panamera_firmware(FuSynapticsMstDevice *self,
 						 GError **error)
 {
 	guint16 crc_tmp = 0;
-	guint32 fw_size;
+	guint32 fw_size = 0;
 	guint32 unit_sz = BLOCK_UNIT;
 	guint32 write_loops = 0;
 	guint8 bank_to_update = BANKTAG_1;
@@ -543,8 +543,14 @@ fu_synaptics_mst_device_update_panamera_firmware(FuSynapticsMstDevice *self,
 	g_debug("bank to update:%x", bank_to_update);
 
 	/* get firmware size */
-	fw_size = 0x410 + (*(payload_data + 0x400) << 24) + (*(payload_data + 0x401) << 16) +
-		  (*(payload_data + 0x402) << 8) + (*(payload_data + 0x403));
+	if (!fu_common_read_uint32_safe(payload_data,
+					payload_len,
+					0x400,
+					&fw_size,
+					G_LITTLE_ENDIAN,
+					error))
+		return FALSE;
+	fw_size += 0x410;
 
 	/* Current max firmware size is 104K */
 	if (fw_size < payload_len)