Added bound check to get_decrypted_blob_version

danielinux · danielinux · commit 2239c6e163ab · 2026-03-12T09:28:51.000+01:00
F/374
diff --git a/src/update_disk.c b/src/update_disk.c
@@ -134,6 +134,9 @@ static uint32_t get_decrypted_blob_version(uint8_t *hdr)
             continue;
         }
 
+        if (p + 4 + tlv_len > max_p)
+            break;
+
         if (tlv_type == HDR_VERSION && tlv_len == 4) {
             uint32_t ver = *((uint32_t*)(p + 4));
             return ver;

Original file line number	Diff line number	Diff line change
`@@ -134,6 +134,9 @@ static uint32_t get_decrypted_blob_version(uint8_t *hdr)`
`134`	`134`	`continue;`
`135`	`135`	`}`
`136`	`136`
	`137`	`+ if (p + 4 + tlv_len > max_p)`
	`138`	`+ break;`
	`139`	`+`
`137`	`140`	`if (tlv_type == HDR_VERSION && tlv_len == 4) {`
`138`	`141`	`uint32_t ver = ((uint32_t)(p + 4));`
`139`	`142`	`return ver;`