Fix bugs found in security audit of gobi3k-sdk
BUG=chromeos-partner:4395 TEST=Adhoc Change-Id: I038c69daf7a88eeafd546cb0bb1beec921326c87 Reviewed-on: https://gerrit-int.chromium.org/2051 Reviewed-by: Elly Jones <ellyjones@google.com> Reviewed-by: Jason Glasgow <jglasgow@google.com> Reviewed-by: ttuttle <ttuttle@chromium.org> Tested-by: ttuttle <ttuttle@chromium.org>
This commit is contained in:
parent
0287908d5c
commit
a5e26cca81
|
@ -770,7 +770,17 @@ sSharedBuffer * DB2PackQMIBuffer(
|
|||
}
|
||||
}
|
||||
|
||||
if (bufLen + (ULONG)sizeof(sQMIRawContentHeader) < bufLen)
|
||||
{
|
||||
bOK = false;
|
||||
break;
|
||||
}
|
||||
bufLen += (ULONG)sizeof(sQMIRawContentHeader);
|
||||
if (bufLen + packedLen < bufLen)
|
||||
{
|
||||
bOK = false;
|
||||
break;
|
||||
}
|
||||
bufLen += packedLen;
|
||||
|
||||
// What we are building cannot be too large
|
||||
|
|
|
@ -574,8 +574,8 @@ bool sParsedField::ParseString(
|
|||
ULONG numChars,
|
||||
cBitParser & bp )
|
||||
{
|
||||
// Validate size
|
||||
if (MAX_SHARED_BUFFER_SIZE < numChars)
|
||||
// Validate size (including '\0')
|
||||
if (MAX_SHARED_BUFFER_SIZE < numChars + 1)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
|
|
@ -267,7 +267,7 @@ eGobiError cGobiQMICore::GetSignalStrengths(
|
|||
{
|
||||
ULONG fi = 0;
|
||||
ULONG auxSigs = (ULONG)pf[fi++].mValue.mU16;
|
||||
if (pf.size() <= 1 + 2 * auxSigs)
|
||||
if (pf.size() >= 1 + 2 * auxSigs)
|
||||
{
|
||||
for (ULONG s = 0; s < auxSigs; s++, fi += 2)
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue