Added boundary checks for delta image

danielinux · danielinux · commit 96228bdd2550 · 2026-02-24T10:51:11.000+01:00
diff --git a/src/delta.c b/src/delta.c
@@ -118,6 +118,9 @@ int wb_patch(WB_PATCH_CTX *ctx, uint8_t *dst, uint32_t len)
             sz = ctx->blk_sz;
             if (sz > len)
                 sz = len;
+            if (ctx->blk_off > ctx->src_size ||
+                    sz > ctx->src_size - ctx->blk_off)
+                return -1;
             memcpy(dst + dst_off, ctx->src_base + ctx->blk_off, sz);
             if (ctx->blk_sz > len) {
                 ctx->blk_sz -= len;
@@ -150,6 +153,9 @@ int wb_patch(WB_PATCH_CTX *ctx, uint8_t *dst, uint32_t len)
                 } else {
                     copy_sz = sz;
                 }
+                if (src_off > ctx->src_size ||
+                        copy_sz > ctx->src_size - src_off)
+                    return -1;
                 memcpy(dst + dst_off, ctx->src_base + src_off, copy_sz);
                 if (sz == copy_sz) {
                     /* End of the block, reset counters and matching state */
diff --git a/tools/unit-tests/unit-delta.c b/tools/unit-tests/unit-delta.c
@@ -48,6 +48,49 @@ START_TEST(test_wb_patch_init_invalid)
 }
 END_TEST
 
+START_TEST(test_wb_patch_src_bounds_invalid)
+{
+    WB_PATCH_CTX patch_ctx;
+    uint8_t src[SRC_SIZE] = {0};
+    uint8_t patch[PATCH_SIZE] = {0};
+    uint8_t dst[DELTA_BLOCK_SIZE] = {0};
+    int ret;
+
+    /* ESC + header with src_off beyond src_size */
+    patch[0] = ESC;
+    patch[1] = 0x00; /* off[0] */
+    patch[2] = 0x10; /* off[1] -> 0x001000 */
+    patch[3] = 0x00; /* off[2] */
+    patch[4] = 0x00; /* sz[0] */
+    patch[5] = 0x10; /* sz[1] -> 16 */
+
+    ret = wb_patch_init(&patch_ctx, src, SRC_SIZE, patch, BLOCK_HDR_SIZE);
+    ck_assert_int_eq(ret, 0);
+
+    ret = wb_patch(&patch_ctx, dst, sizeof(dst));
+    ck_assert_int_eq(ret, -1);
+}
+END_TEST
+
+START_TEST(test_wb_patch_resume_bounds_invalid)
+{
+    WB_PATCH_CTX patch_ctx;
+    uint8_t src[SRC_SIZE] = {0};
+    uint8_t patch[PATCH_SIZE] = {0};
+    uint8_t dst[DELTA_BLOCK_SIZE] = {0};
+    int ret;
+
+    ret = wb_patch_init(&patch_ctx, src, SRC_SIZE, patch, BLOCK_HDR_SIZE);
+    ck_assert_int_eq(ret, 0);
+
+    patch_ctx.matching = 1;
+    patch_ctx.blk_off = SRC_SIZE + 1;
+    patch_ctx.blk_sz = 4;
+
+    ret = wb_patch(&patch_ctx, dst, sizeof(dst));
+    ck_assert_int_eq(ret, -1);
+}
+END_TEST
 
 START_TEST(test_wb_diff_init_invalid)
 {
@@ -162,6 +205,8 @@ Suite *patch_diff_suite(void)
 
     tcase_add_test(tc_wolfboot_delta, test_wb_patch_init_invalid);
     tcase_add_test(tc_wolfboot_delta, test_wb_diff_init_invalid);
+    tcase_add_test(tc_wolfboot_delta, test_wb_patch_src_bounds_invalid);
+    tcase_add_test(tc_wolfboot_delta, test_wb_patch_resume_bounds_invalid);
     tcase_add_test(tc_wolfboot_delta, test_wb_patch_and_diff);
     suite_add_tcase(s, tc_wolfboot_delta);
 
