nanoapp_sign: fix overread condidion

Bug: 29416389
Change-Id: If3d9619a46d904cea6b8497cdfaa5deb60895b6f
Signed-off-by: Alexey Polyudov <apolyudov@google.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/util/nanoapp_sign/nanoapp_sign.c b/util/nanoapp_sign/nanoapp_sign.c
index 6153d910..15edd14e 100644
--- a/util/nanoapp_sign/nanoapp_sign.c
+++ b/util/nanoapp_sign/nanoapp_sign.c
@@ -239,6 +239,11 @@ static int handleVerify(uint8_t **pbuf, uint32_t bufUsed, struct RsaData *rsa, b
         bool lastTrusted = false;
         int sigData;
 
+        if (bufUsed < (sizeof(*image) + sizeof(*secHdr))) {
+            fprintf(stderr, "Invalid signature header: file is too short\n");
+            return 2;
+        }
+
         if (verbose)
             fprintf(stderr, "Original Data len=%" PRIu32 " b; file size=%" PRIu32 " b; diff=%" PRIu32 " b\n",
                     secHdr->appDataLen, bufUsed, bufUsed - secHdr->appDataLen);
@@ -515,7 +520,8 @@ int main(int argc, char **argv)
 
     image = (struct ImageHeader *)buf;
     if (!bareData && !txt2bin) {
-        if (image->aosp.header_version == 1 &&
+        if (bufUsed >= sizeof(*image) &&
+            image->aosp.header_version == 1 &&
             image->aosp.magic == NANOAPP_AOSP_MAGIC &&
             image->layout.magic == GOOGLE_LAYOUT_MAGIC) {
             fprintf(stderr, "Found AOSP header\n");