From c26f27bef8cde6249dab86f4d46943260734793e Mon Sep 17 00:00:00 2001
From: Edward O'Callaghan <quasisec@google.com>
Date: Wed, 2 Feb 2022 17:15:05 +1100
Subject: [PATCH] fmap.c: Avoid undefined behaviour with fmap_lsearch([len:=0])

Calling libflashrom entry-points that internally dispatch to
fmap_lsearch() can result in a integer overflow. Therefore
validate the length paramter before attempting to use it.

BUG=none
TEST=`make`

Change-Id: Ifb408c55c3b69ddff453dcc704b7389298050473
Signed-off-by: Edward O'Callaghan <quasisec@google.com>
Spotted-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/61545
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
Reviewed-by: Angel Pons <th3fanbus@gmail.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 fmap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fmap.c b/fmap.c
index b18cbf799..0236b621a 100644
--- a/fmap.c
+++ b/fmap.c
@@ -96,6 +96,9 @@ static off_t fmap_lsearch(const uint8_t *buf, size_t len)
 	off_t offset;
 	bool fmap_found = 0;
 
+	if (len < sizeof(struct fmap))
+		return -1;
+
 	for (offset = 0; offset <= (off_t)(len - sizeof(struct fmap)); offset++) {
 		if (is_valid_fmap((struct fmap *)&buf[offset])) {
 			fmap_found = 1;