Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709) Bug: 166295507 Merged-In: I29d286d476565af2af7cb6b5e2165ea8de2b2b69 Change-Id: Id72cfafe90e134554fab7d21fa0f94181d68e11d

commit: 8491a425bc47375a8bf1450689bcab30db7343bc [log] [tgz]
author: Xin Li <delphij@google.com> Thu Aug 27 10:16:06 2020 -0700
committer: Xin Li <delphij@google.com> Thu Aug 27 10:16:06 2020 -0700
tree: 1252c9eeb76b56797b373a02e78ab1a190fd5339
parent: cd311c1dbee378c2d1711a09414c16e3b258a012 [diff]
parent: 2af782b5ae1abca5b00c5f6ec5e3db782fed0cb8 [diff]
diff --git a/libavb/avb_descriptor.c b/libavb/avb_descriptor.c
index 1f451ca..222a616 100644
--- a/libavb/avb_descriptor.c
+++ b/libavb/avb_descriptor.c

@@ -114,6 +114,10 @@
   desc_end = desc_start + desc_size;
 
   for (p = desc_start; p < desc_end;) {
+    if (p + sizeof(AvbDescriptor) > desc_end) {
+      avb_error("Invalid descriptor length.\n");
+      goto out;
+    }
     const AvbDescriptor* dh = (const AvbDescriptor*)p;
     uint64_t nb_following;
     uint64_t nb_total = 0;
commit	8491a425bc47375a8bf1450689bcab30db7343bc	[log] [tgz]
author	Xin Li <delphij@google.com>	Thu Aug 27 10:16:06 2020 -0700
committer	Xin Li <delphij@google.com>	Thu Aug 27 10:16:06 2020 -0700
tree	1252c9eeb76b56797b373a02e78ab1a190fd5339
parent	cd311c1dbee378c2d1711a09414c16e3b258a012 [diff]
parent	2af782b5ae1abca5b00c5f6ec5e3db782fed0cb8 [diff]