diff options
author | Simon Glass <sjg@chromium.org> | 2023-01-18 23:13:17 +0300 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2023-01-27 20:51:26 +0300 |
commit | a092f1e9064881a358fdf08cb1cee753cd680edf (patch) | |
tree | b54b72d81df05d3ed36c2441c40ab13b2060d46f /tools/ifwitool.c | |
parent | e71505fc983ca1734d1033095cee23b66e2f06e8 (diff) | |
download | u-boot-a092f1e9064881a358fdf08cb1cee753cd680edf.tar.xz |
ifwitool: Fix member access
On a second and third look, a recent patch seems to be writing to the
wrong place - updating offsets from the address of the pointer instead
of what the pointer points to.
Fix it.
Signed-off-by: Simon Glass <sjg@chromium.org>
Fixes: 2d1b2ac13fe ("tool: ifwitool: Fix buffer overflow")
Acked-by: Sean Anderson <seanga2@gmail.com>
Diffstat (limited to 'tools/ifwitool.c')
-rw-r--r-- | tools/ifwitool.c | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/tools/ifwitool.c b/tools/ifwitool.c index 31591863b2..c1defe5773 100644 --- a/tools/ifwitool.c +++ b/tools/ifwitool.c @@ -721,7 +721,7 @@ static size_t read_member(void *src, size_t offset, size_t size_bytes, */ static size_t fix_member(void *data, size_t offset, size_t size_bytes) { - uint8_t *src = (uint8_t *)data + offset; + void *src = (uint8_t *)data + offset; switch (size_bytes) { case 1: @@ -1441,20 +1441,20 @@ static void bpdt_fixup_write_buffer(struct buffer *buf) size_t offset = 0; - offset = fix_member(&s, offset, sizeof(h->signature)); - offset = fix_member(&s, offset, sizeof(h->descriptor_count)); - offset = fix_member(&s, offset, sizeof(h->bpdt_version)); - offset = fix_member(&s, offset, sizeof(h->xor_redundant_block)); - offset = fix_member(&s, offset, sizeof(h->ifwi_version)); - offset = fix_member(&s, offset, sizeof(h->fit_tool_version)); + offset = fix_member(s, offset, sizeof(h->signature)); + offset = fix_member(s, offset, sizeof(h->descriptor_count)); + offset = fix_member(s, offset, sizeof(h->bpdt_version)); + offset = fix_member(s, offset, sizeof(h->xor_redundant_block)); + offset = fix_member(s, offset, sizeof(h->ifwi_version)); + offset = fix_member(s, offset, sizeof(h->fit_tool_version)); uint32_t i; for (i = 0; i < count; i++) { - offset = fix_member(&s, offset, sizeof(e[i].type)); - offset = fix_member(&s, offset, sizeof(e[i].flags)); - offset = fix_member(&s, offset, sizeof(e[i].offset)); - offset = fix_member(&s, offset, sizeof(e[i].size)); + offset = fix_member(s, offset, sizeof(e[i].type)); + offset = fix_member(s, offset, sizeof(e[i].flags)); + offset = fix_member(s, offset, sizeof(e[i].offset)); + offset = fix_member(s, offset, sizeof(e[i].size)); } } @@ -1654,21 +1654,21 @@ static void subpart_dir_fixup_write_buffer(struct buffer *buf) size_t count = h->num_entries; size_t offset = 0; - offset = fix_member(&s, offset, sizeof(h->marker)); - offset = fix_member(&s, offset, sizeof(h->num_entries)); - offset = fix_member(&s, offset, sizeof(h->header_version)); - offset = fix_member(&s, offset, sizeof(h->entry_version)); - offset = fix_member(&s, offset, sizeof(h->header_length)); - offset = fix_member(&s, offset, sizeof(h->checksum)); + offset = fix_member(s, offset, sizeof(h->marker)); + offset = fix_member(s, offset, sizeof(h->num_entries)); + offset = fix_member(s, offset, sizeof(h->header_version)); + offset = fix_member(s, offset, sizeof(h->entry_version)); + offset = fix_member(s, offset, sizeof(h->header_length)); + offset = fix_member(s, offset, sizeof(h->checksum)); offset += sizeof(h->name); uint32_t i; for (i = 0; i < count; i++) { offset += sizeof(e[i].name); - offset = fix_member(&s, offset, sizeof(e[i].offset)); - offset = fix_member(&s, offset, sizeof(e[i].length)); - offset = fix_member(&s, offset, sizeof(e[i].rsvd)); + offset = fix_member(s, offset, sizeof(e[i].offset)); + offset = fix_member(s, offset, sizeof(e[i].length)); + offset = fix_member(s, offset, sizeof(e[i].rsvd)); } } |