From 976831e6674db98cc7992db1479afff9d2877c81 Mon Sep 17 00:00:00 2001
From: William Wilgus <me.theuser@yahoo.com>
Date: Fri, 14 Dec 2018 04:22:16 -0600
Subject: Buflib add range checks blocks and crc_slot raise panic if out of
 range

Change-Id: I81df5c145a8cb003827a5423f484f70333e2472e
---
 firmware/buflib.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/firmware/buflib.c b/firmware/buflib.c
index 06b52ca934..f909ab8333 100644
--- a/firmware/buflib.c
+++ b/firmware/buflib.c
@@ -248,9 +248,16 @@ static bool
 move_block(struct buflib_context* ctx, union buflib_data* block, int shift)
 {
     char* new_start;
+
+    if (block < ctx->buf_start || block > ctx->alloc_end)
+        buflib_panic(ctx, "buflib data corrupted %p", block);
+
     union buflib_data *new_block, *tmp = block[1].handle, *crc_slot;
     struct buflib_callbacks *ops = block[2].ops;
     crc_slot = (union buflib_data*)tmp->alloc - 1;
+    if (crc_slot < ctx->buf_start || crc_slot > ctx->alloc_end)
+        buflib_panic(ctx, "buflib metadata corrupted %p", crc_slot);
+
     const int metadata_size = (crc_slot - block)*sizeof(union buflib_data);
     uint32_t crc = crc_32((void *)block, metadata_size, 0xffffffff);
 
-- 
cgit v1.2.3