summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTroy Kisky <troy.kisky@boundarydevices.com>2012-10-03 15:47:03 +0000
committerStefano Babic <sbabic@denx.de>2012-10-20 17:13:01 +0200
commit4d5fa985361f320c2c9830828bb52979927a4c0e (patch)
treecc4bbc33fd21c171e11830e0e3194e65bd6a7042
parentc2cfe57e7ce8ea8550cb9b8cc1f35053abe7815f (diff)
downloadu-boot-imx-4d5fa985361f320c2c9830828bb52979927a4c0e.zip
u-boot-imx-4d5fa985361f320c2c9830828bb52979927a4c0e.tar.gz
u-boot-imx-4d5fa985361f320c2c9830828bb52979927a4c0e.tar.bz2
imximage: check dcd_len as entries added
Before the len was checked after the entire file was processed, so it could have already overflowed. Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
-rw-r--r--tools/imximage.c26
1 files changed, 11 insertions, 15 deletions
diff --git a/tools/imximage.c b/tools/imximage.c
index 03a7716..c917036 100644
--- a/tools/imximage.c
+++ b/tools/imximage.c
@@ -71,6 +71,7 @@ static uint32_t imximage_version;
static set_dcd_val_t set_dcd_val;
static set_dcd_rst_t set_dcd_rst;
static set_imx_hdr_t set_imx_hdr;
+static uint32_t max_dcd_entries;
static uint32_t get_cfg_value(char *token, char *name, int linenr)
{
@@ -170,13 +171,6 @@ static void set_dcd_rst_v1(struct imx_header *imxhdr, uint32_t dcd_len,
{
dcd_v1_t *dcd_v1 = &imxhdr->header.hdr_v1.dcd_table;
- if (dcd_len > MAX_HW_CFG_SIZE_V1) {
- fprintf(stderr, "Error: %s[%d] -"
- "DCD table exceeds maximum size(%d)\n",
- name, lineno, MAX_HW_CFG_SIZE_V1);
- exit(EXIT_FAILURE);
- }
-
dcd_v1->preamble.barker = DCD_BARKER;
dcd_v1->preamble.length = dcd_len * sizeof(dcd_type_addr_data_t);
}
@@ -190,13 +184,6 @@ static void set_dcd_rst_v2(struct imx_header *imxhdr, uint32_t dcd_len,
{
dcd_v2_t *dcd_v2 = &imxhdr->header.hdr_v2.dcd_table;
- if (dcd_len > MAX_HW_CFG_SIZE_V2) {
- fprintf(stderr, "Error: %s[%d] -"
- "DCD table exceeds maximum size(%d)\n",
- name, lineno, MAX_HW_CFG_SIZE_V2);
- exit(EXIT_FAILURE);
- }
-
dcd_v2->header.tag = DCD_HEADER_TAG;
dcd_v2->header.length = cpu_to_be16(
dcd_len * sizeof(dcd_addr_data_t) + 8);
@@ -295,11 +282,13 @@ static void set_hdr_func(struct imx_header *imxhdr)
set_dcd_val = set_dcd_val_v1;
set_dcd_rst = set_dcd_rst_v1;
set_imx_hdr = set_imx_hdr_v1;
+ max_dcd_entries = MAX_HW_CFG_SIZE_V1;
break;
case IMXIMAGE_V2:
set_dcd_val = set_dcd_val_v2;
set_dcd_rst = set_dcd_rst_v2;
set_imx_hdr = set_imx_hdr_v2;
+ max_dcd_entries = MAX_HW_CFG_SIZE_V2;
break;
default:
err_imximage_version(imximage_version);
@@ -426,8 +415,15 @@ static void parse_cfg_fld(struct imx_header *imxhdr, int32_t *cmd,
value = get_cfg_value(token, name, lineno);
(*set_dcd_val)(imxhdr, name, lineno, fld, value, *dcd_len);
- if (fld == CFG_REG_VALUE)
+ if (fld == CFG_REG_VALUE) {
(*dcd_len)++;
+ if (*dcd_len > max_dcd_entries) {
+ fprintf(stderr, "Error: %s[%d] -"
+ "DCD table exceeds maximum size(%d)\n",
+ name, lineno, max_dcd_entries);
+ exit(EXIT_FAILURE);
+ }
+ }
break;
default:
break;