diff options
| -rw-r--r-- | firmware/buflib.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/firmware/buflib.c b/firmware/buflib.c index 06b52ca934..f909ab8333 100644 --- a/firmware/buflib.c +++ b/firmware/buflib.c | |||
| @@ -248,9 +248,16 @@ static bool | |||
| 248 | move_block(struct buflib_context* ctx, union buflib_data* block, int shift) | 248 | move_block(struct buflib_context* ctx, union buflib_data* block, int shift) |
| 249 | { | 249 | { |
| 250 | char* new_start; | 250 | char* new_start; |
| 251 | |||
| 252 | if (block < ctx->buf_start || block > ctx->alloc_end) | ||
| 253 | buflib_panic(ctx, "buflib data corrupted %p", block); | ||
| 254 | |||
| 251 | union buflib_data *new_block, *tmp = block[1].handle, *crc_slot; | 255 | union buflib_data *new_block, *tmp = block[1].handle, *crc_slot; |
| 252 | struct buflib_callbacks *ops = block[2].ops; | 256 | struct buflib_callbacks *ops = block[2].ops; |
| 253 | crc_slot = (union buflib_data*)tmp->alloc - 1; | 257 | crc_slot = (union buflib_data*)tmp->alloc - 1; |
| 258 | if (crc_slot < ctx->buf_start || crc_slot > ctx->alloc_end) | ||
| 259 | buflib_panic(ctx, "buflib metadata corrupted %p", crc_slot); | ||
| 260 | |||
| 254 | const int metadata_size = (crc_slot - block)*sizeof(union buflib_data); | 261 | const int metadata_size = (crc_slot - block)*sizeof(union buflib_data); |
| 255 | uint32_t crc = crc_32((void *)block, metadata_size, 0xffffffff); | 262 | uint32_t crc = crc_32((void *)block, metadata_size, 0xffffffff); |
| 256 | 263 | ||