bootm: allow correct bounds-check of destination
authorKees Cook <keescook@chromium.org>
Fri, 16 Aug 2013 14:59:16 +0000 (07:59 -0700)
committerSimon Glass <sjg@chromium.org>
Tue, 3 Sep 2013 19:30:26 +0000 (13:30 -0600)
While nothing presently examines the destination size, it should at
least be correct so that future users of sys_mapmem() will not be
surprised. Without this, it might be possible to overflow memory.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
common/cmd_bootm.c

index 2dd264272f9585920b1c6677e6e2391142f47dae..b07b0f48b20a9053ecef1d0cf9a3282fba17bd17 100644 (file)
@@ -368,7 +368,7 @@ static int bootm_load_os(bootm_headers_t *images, unsigned long *load_end,
 
        const char *type_name = genimg_get_type_name(os.type);
 
-       load_buf = map_sysmem(load, image_len);
+       load_buf = map_sysmem(load, unc_len);
        image_buf = map_sysmem(image_start, image_len);
        switch (comp) {
        case IH_COMP_NONE: