[U-Boot] [PATCH 6/6] bootm: correctly bounds-check decompression

Kees Cook keescook at chromium.org
Tue Aug 13 01:02:04 CEST 2013


This passes the actual memory allocation size for the destination to the
decompression routines, avoiding potential memory overflows.

Signed-off-by: Kees Cook <keescook at chromium.org>
---
 common/cmd_bootm.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
index ba0bcd4..ac4fad1 100644
--- a/common/cmd_bootm.c
+++ b/common/cmd_bootm.c
@@ -362,7 +362,7 @@ static int bootm_load_os(image_info_t os, ulong *load_end, int boot_progress)
 
 	const char *type_name = genimg_get_type_name(os.type);
 
-	load_buf = map_sysmem(load, image_len);
+	load_buf = map_sysmem(load, unc_len);
 	image_buf = map_sysmem(image_start, image_len);
 	switch (comp) {
 	case IH_COMP_NONE:
-- 
1.7.9.5



More information about the U-Boot mailing list