From bd2eb59ded600c7a62b396f41dcf6937d567dca2 Mon Sep 17 00:00:00 2001
From: Bill Richardson <wfrichar@chromium.org>
Date: Tue, 2 Dec 2014 19:31:38 -0800
Subject: [PATCH] futility: fix segfault when displaying truncated kernels

Also added a test for it.

BUG=none
BRANCH=none
TEST=make runtests

Change-Id: I108c75d114400e664f0ad1f29038a94cb1effd54
Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/233037
Reviewed-by: Randall Spangler <rspangler@chromium.org>
---
 futility/cmd_show.c                |  4 ++--
 tests/futility/test_show_kernel.sh | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/futility/cmd_show.c b/futility/cmd_show.c
index f065b42c6b..f22626980c 100644
--- a/futility/cmd_show.c
+++ b/futility/cmd_show.c
@@ -382,7 +382,7 @@ int futil_cb_show_kernel_preamble(struct futil_traverse_state_s *state)
 	uint32_t len = state->my_area->len;
 	VbPublicKey *sign_key = option.k;
 	uint8_t *kernel_blob = 0;
-	uint64_t kernel_size;
+	uint64_t kernel_size = 0;
 	int good_sig = 0;
 	int retval = 0;
 
@@ -441,7 +441,7 @@ int futil_cb_show_kernel_preamble(struct futil_traverse_state_s *state)
 		/* It's in a separate file, which we've already read in */
 		kernel_blob = option.fv;
 		kernel_size = option.fv_size;
-	} else {
+	} else if (state->my_area->len > option.padding) {
 		/* It should be at an offset within the input file. */
 		kernel_blob = state->my_area->buf + option.padding;
 		kernel_size = state->my_area->len - option.padding;
diff --git a/tests/futility/test_show_kernel.sh b/tests/futility/test_show_kernel.sh
index d43224517f..151cf4633c 100755
--- a/tests/futility/test_show_kernel.sh
+++ b/tests/futility/test_show_kernel.sh
@@ -50,6 +50,28 @@ ${FUTILITY} show ${TMP}.kernel.test \
 
 echo 'Test kernel blob looks good'
 
+# Mess up the padding, make sure it fails.
+rc=0
+${FUTILITY} show ${TMP}.kernel.test \
+    --pad 0x100 \
+    --publickey ${DEVKEYS}/kernel_subkey.vbpubk \
+  || rc=$?
+[ $rc -ne 0 ]
+[ $rc -lt 128 ]
+
+echo 'Invalid args are invalid'
+
+# Look waaaaaay off the end of the file, make sure it fails.
+rc=0
+${FUTILITY} show ${TMP}.kernel.test \
+    --pad 0x100000 \
+    --publickey ${DEVKEYS}/kernel_subkey.vbpubk \
+  || rc=$?
+[ $rc -ne 0 ]
+[ $rc -lt 128 ]
+
+echo 'Really invalid args are still invalid'
+
 # cleanup
 rm -rf ${TMP}*
 exit 0