Common image usage is uImage + appended rootfs, so the the uImage data is only part of the total image. So read out and use the header's ih_size field instead of the total file size.
To prevent reading over the end of the buffer, check that the image file is big enough to contain the data before calculating its checksum.
Before: ~# mkimage -l dir665_fw_100NA.bin mkimage: ERROR: "dir665_fw_100NA/dir665_fw_100NA.bin" has corrupted data!
After: ~# mkimage -l dir665_fw_100NA.bin Image Name: Linux Kernel Image Created: Fri Feb 12 03:38:36 2010 Image Type: ARM Linux Kernel Image (lzma compressed) Data Size: 1107781 Bytes = 1081.82 kB = 1.06 MB Load Address: 00008000 Entry Point: 00008000
Signed-off-by: Jonas Gorski jogo@openwrt.org --- tools/default_image.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/default_image.c b/tools/default_image.c index e9d0729..db20e53 100644 --- a/tools/default_image.c +++ b/tools/default_image.c @@ -86,10 +86,11 @@ static int image_verify_header(unsigned char *ptr, int image_size, }
data = (const unsigned char *)ptr + sizeof(image_header_t); - len = image_size - sizeof(image_header_t) ; + len = be32_to_cpu(hdr->ih_size);
checksum = be32_to_cpu(hdr->ih_dcrc); - if (crc32(0, data, len) != checksum) { + if ((image_size - sizeof(image_header_t)) < len || + crc32(0, data, len) != checksum) { fprintf(stderr, "%s: ERROR: "%s" has corrupted data!\n", params->cmdname, params->imagefile);