From c258289b7448ad0ddb04dbd4367323ed8bb8ba1a Mon Sep 17 00:00:00 2001
From: Pali Rohár <pali.rohar@gmail.com>
Date: Sun, 10 Jan 2016 14:33:30 +0100
Subject: image: Check for return value fo image_read() in
 image_type_from_data()

---
 src/image.c | 33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)

(limited to 'src/image.c')

diff --git a/src/image.c b/src/image.c
index 0daebf3..23d79d8 100644
--- a/src/image.c
+++ b/src/image.c
@@ -511,40 +511,41 @@ static const char * image_types[] = {
 enum image_type image_type_from_data(struct image * image) {
 
 	unsigned char buf[512];
+	size_t size;
 
 	memset(buf, 0, sizeof(buf));
 	image_seek(image, 0);
-	image_read(image, buf, sizeof(buf));
+	size = image_read(image, buf, sizeof(buf));
 
-	if ( memcmp(buf+52, "2NDAPE", 6) == 0 )
+	if ( size >= 58 && memcmp(buf+52, "2NDAPE", 6) == 0 )
 		return IMAGE_2ND;
-	else if ( memcmp(buf+20, "2ND", 3) == 0 )
+	else if ( size >= 23 && memcmp(buf+20, "2ND", 3) == 0 )
 		return IMAGE_2ND;
-	else if ( memcmp(buf+4, "NOLOScnd", 8) == 0 )
+	else if ( size >= 8 && memcmp(buf+4, "NOLOScnd", 8) == 0 )
 		return IMAGE_SECONDARY;
-	else if ( memcmp(buf+20, "X-LOADER", 8) == 0 )
+	else if ( size >= 28 && memcmp(buf+20, "X-LOADER", 8) == 0 )
 		return IMAGE_XLOADER;
-	else if ( memcmp(buf+12, "NOLOXldr", 8) == 0 )
+	else if ( size >= 20 && memcmp(buf+12, "NOLOXldr", 8) == 0 )
 		return IMAGE_XLOADER;
-	else if ( memcmp(buf+4, "NOLOXldr", 8) == 0 )
+	else if ( size >= 12 && memcmp(buf+4, "NOLOXldr", 8) == 0 )
 		return IMAGE_2ND;
-	else if ( memcmp(buf+36, "\x18\x28\x6f\x01", 4) == 0 ) /* ARM Linux kernel magic number */
+	else if ( size >= 40 && memcmp(buf+36, "\x18\x28\x6f\x01", 4) == 0 ) /* ARM Linux kernel magic number */
 		return IMAGE_KERNEL;
-	else if ( memcmp(buf+1, "\x00\x00\xea", 3) == 0 ) /* ARM U-Boot - instruction branch */
+	else if ( size >= 4 && memcmp(buf+1, "\x00\x00\xea", 3) == 0 ) /* ARM U-Boot - instruction branch */
 		return IMAGE_KERNEL;
-	else if ( memcmp(buf, "UBI#", 4) == 0 ) /* UBI EC header */
+	else if ( size >= 4 && memcmp(buf, "UBI#", 4) == 0 ) /* UBI EC header */
 		return IMAGE_ROOTFS;
-	else if ( memcmp(buf+510, "\x55\xaa", 2) == 0 ) /* FAT boot sector signature */
+	else if ( size >= 512 && memcmp(buf+510, "\x55\xaa", 2) == 0 ) /* FAT boot sector signature */
 		return IMAGE_MMC;
-	else if ( memcmp(buf, "\xb0\x00\x01\x03\x9d\x00\x00\x00", 8) == 0 )
+	else if ( size >= 8 && memcmp(buf, "\xb0\x00\x01\x03\x9d\x00\x00\x00", 8) == 0 )
 		return IMAGE_CMT_2ND;
-	else if ( memcmp(buf, "\xb1\x00\x00\x00\x82\x00\x00\x00", 8) == 0 )
+	else if ( size >= 8 && memcmp(buf, "\xb1\x00\x00\x00\x82\x00\x00\x00", 8) == 0 )
 		return IMAGE_CMT_ALGO;
-	else if ( memcmp(buf, "\xb2\x00\x00\x01\x44\x00\x00\x00", 8) == 0 )
+	else if ( size >= 8 && memcmp(buf, "\xb2\x00\x00\x01\x44\x00\x00\x00", 8) == 0 )
 		return IMAGE_CMT_MCUSW;
-	else if ( memcmp(buf, "\x45\x3d\xcd\x28", 4) == 0 ) /* CRAMFS MAGIC */
+	else if ( size >= 4 && memcmp(buf, "\x45\x3d\xcd\x28", 4) == 0 ) /* CRAMFS MAGIC */
 		return IMAGE_INITFS;
-	else if ( memcmp(buf, "\x85\x19", 2) == 0 ) { /* JFFS2 MAGIC */
+	else if ( size >= 2 && memcmp(buf, "\x85\x19", 2) == 0 ) { /* JFFS2 MAGIC */
 		if ( image->size < 0x300000 )
 			return IMAGE_INITFS;
 		else
-- 
cgit v1.2.3