fix(rcar3-drivers): add integer overflow check Check against overflows while calculating the "len" variable. Reviewed-by: Tomer Fichman <Tomer.Fichman@cymotive.com> Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com> Change-Id: I0c50152a04365c6f52e0db3096e27e8a800c59ea

commit: 12d1e63e8186de3dc0b76648996d8f0f76837946 [log] [tgz]
author: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com> Sun Apr 23 19:14:51 2023 +0900
committer: Marek Vasut <marek.vasut+renesas@mailbox.org> Sun Dec 03 10:49:11 2023 +0100
tree: 17171485a265383de8496db29e909dd37a8b4774
parent: 55351b92cce26e809a63045c559f4e1e45763b49 [diff]
diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
index 8bbf988..bbd0b89 100644
--- a/drivers/renesas/common/io/io_rcar.c
+++ b/drivers/renesas/common/io/io_rcar.c

@@ -261,7 +261,14 @@
 	}
 
 	size = cert + RCAR_CERT_INFO_SIZE_OFFSET;
-	*len = mmio_read_32(size) * 4U;
+	val = mmio_read_32(size);
+	if (val > (UINT32_MAX / 4)) {
+		ERROR("BL2: %s[%d] uint32 overflow!\n", __func__, __LINE__);
+		*dst = 0;
+		*len = 0;
+		return;
+	}
+	*len = val * 4U;
 	dstl = cert + RCAR_CERT_INFO_DST_OFFSET;
 	dsth = dstl + 4U;
 	*dst = ((uintptr_t) mmio_read_32(dsth) << 32) +
commit	12d1e63e8186de3dc0b76648996d8f0f76837946	[log] [tgz]
author	Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com>	Sun Apr 23 19:14:51 2023 +0900
committer	Marek Vasut <marek.vasut+renesas@mailbox.org>	Sun Dec 03 10:49:11 2023 +0100
tree	17171485a265383de8496db29e909dd37a8b4774
parent	55351b92cce26e809a63045c559f4e1e45763b49 [diff]