From: Simon Glass Date: Wed, 18 Jan 2023 20:13:17 +0000 (-0700) Subject: ifwitool: Fix member access X-Git-Tag: v2025.01-rc5-pxa1908~1134^2~15 X-Git-Url: http://git.dujemihanovic.xyz/%22http:/kyber.dk/phpMyBuilder/static/git-logo.png?a=commitdiff_plain;h=a092f1e9064881a358fdf08cb1cee753cd680edf;p=u-boot.git ifwitool: Fix member access On a second and third look, a recent patch seems to be writing to the wrong place - updating offsets from the address of the pointer instead of what the pointer points to. Fix it. Signed-off-by: Simon Glass Fixes: 2d1b2ac13fe ("tool: ifwitool: Fix buffer overflow") Acked-by: Sean Anderson --- diff --git a/tools/ifwitool.c b/tools/ifwitool.c index 31591863b2..c1defe5773 100644 --- a/tools/ifwitool.c +++ b/tools/ifwitool.c @@ -721,7 +721,7 @@ static size_t read_member(void *src, size_t offset, size_t size_bytes, */ static size_t fix_member(void *data, size_t offset, size_t size_bytes) { - uint8_t *src = (uint8_t *)data + offset; + void *src = (uint8_t *)data + offset; switch (size_bytes) { case 1: @@ -1441,20 +1441,20 @@ static void bpdt_fixup_write_buffer(struct buffer *buf) size_t offset = 0; - offset = fix_member(&s, offset, sizeof(h->signature)); - offset = fix_member(&s, offset, sizeof(h->descriptor_count)); - offset = fix_member(&s, offset, sizeof(h->bpdt_version)); - offset = fix_member(&s, offset, sizeof(h->xor_redundant_block)); - offset = fix_member(&s, offset, sizeof(h->ifwi_version)); - offset = fix_member(&s, offset, sizeof(h->fit_tool_version)); + offset = fix_member(s, offset, sizeof(h->signature)); + offset = fix_member(s, offset, sizeof(h->descriptor_count)); + offset = fix_member(s, offset, sizeof(h->bpdt_version)); + offset = fix_member(s, offset, sizeof(h->xor_redundant_block)); + offset = fix_member(s, offset, sizeof(h->ifwi_version)); + offset = fix_member(s, offset, sizeof(h->fit_tool_version)); uint32_t i; for (i = 0; i < count; i++) { - offset = fix_member(&s, offset, sizeof(e[i].type)); - offset = fix_member(&s, offset, sizeof(e[i].flags)); - offset = fix_member(&s, offset, sizeof(e[i].offset)); - offset = fix_member(&s, offset, sizeof(e[i].size)); + offset = fix_member(s, offset, sizeof(e[i].type)); + offset = fix_member(s, offset, sizeof(e[i].flags)); + offset = fix_member(s, offset, sizeof(e[i].offset)); + offset = fix_member(s, offset, sizeof(e[i].size)); } } @@ -1654,21 +1654,21 @@ static void subpart_dir_fixup_write_buffer(struct buffer *buf) size_t count = h->num_entries; size_t offset = 0; - offset = fix_member(&s, offset, sizeof(h->marker)); - offset = fix_member(&s, offset, sizeof(h->num_entries)); - offset = fix_member(&s, offset, sizeof(h->header_version)); - offset = fix_member(&s, offset, sizeof(h->entry_version)); - offset = fix_member(&s, offset, sizeof(h->header_length)); - offset = fix_member(&s, offset, sizeof(h->checksum)); + offset = fix_member(s, offset, sizeof(h->marker)); + offset = fix_member(s, offset, sizeof(h->num_entries)); + offset = fix_member(s, offset, sizeof(h->header_version)); + offset = fix_member(s, offset, sizeof(h->entry_version)); + offset = fix_member(s, offset, sizeof(h->header_length)); + offset = fix_member(s, offset, sizeof(h->checksum)); offset += sizeof(h->name); uint32_t i; for (i = 0; i < count; i++) { offset += sizeof(e[i].name); - offset = fix_member(&s, offset, sizeof(e[i].offset)); - offset = fix_member(&s, offset, sizeof(e[i].length)); - offset = fix_member(&s, offset, sizeof(e[i].rsvd)); + offset = fix_member(s, offset, sizeof(e[i].offset)); + offset = fix_member(s, offset, sizeof(e[i].length)); + offset = fix_member(s, offset, sizeof(e[i].rsvd)); } }