From 07f2e30430794359464032c38b29fd5bc703253e Mon Sep 17 00:00:00 2001
From: Andrew Gunnerson <accounts+github@chiller3.com>
Date: Tue, 26 Sep 2023 23:43:26 -0400
Subject: [PATCH 1/2] bootimage: Ensure page_size is never 0

Otherwise, we'll panic due to dividing by 0.

(Found by honggfuzz)

Issue: #160

Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
---
 avbroot/src/format/bootimage.rs | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/avbroot/src/format/bootimage.rs b/avbroot/src/format/bootimage.rs
index a37fd4f..a5308e5 100644
--- a/avbroot/src/format/bootimage.rs
+++ b/avbroot/src/format/bootimage.rs
@@ -272,6 +272,8 @@ impl<R: Read> FromReader<R> for BootImageV0Through2 {
             return Err(Error::FieldOutOfBounds("ramdisk_size"));
         } else if second_size > COMPONENT_MAX_SIZE {
             return Err(Error::FieldOutOfBounds("second_size"));
+        } else if page_size == 0 {
+            return Err(Error::InvalidFieldValue("page_size", 0));
         }
 
         let os_version = reader.read_u32::<LittleEndian>()?;
@@ -422,6 +424,8 @@ impl<W: Write> ToWriter<W> for BootImageV0Through2 {
             return Err(Error::FieldOutOfBounds("ramdisk_size"));
         } else if self.second.len() > COMPONENT_MAX_SIZE as usize {
             return Err(Error::FieldOutOfBounds("second_size"));
+        } else if self.page_size == 0 {
+            return Err(Error::InvalidFieldValue("page_size", 0));
         }
 
         if let Some(v1) = &self.v1_extra {
@@ -964,6 +968,10 @@ impl<R: Read> FromReader<R> for VendorBootImageV3Through4 {
         }
 
         let page_size = reader.read_u32::<LittleEndian>()?;
+        if page_size == 0 {
+            return Err(Error::InvalidFieldValue("page_size", 0));
+        }
+
         let kernel_addr = reader.read_u32::<LittleEndian>()?;
         let ramdisk_addr = reader.read_u32::<LittleEndian>()?;
 
@@ -1148,10 +1156,10 @@ impl<W: Write> ToWriter<W> for VendorBootImageV3Through4 {
         let vendor_ramdisk_size = self.ramdisks.iter().map(|r| r.len()).sum::<usize>();
         if vendor_ramdisk_size > COMPONENT_MAX_SIZE as usize {
             return Err(Error::FieldOutOfBounds("vendor_ramdisk_size"));
-        }
-
-        if self.dtb.len() > COMPONENT_MAX_SIZE as usize {
+        } else if self.dtb.len() > COMPONENT_MAX_SIZE as usize {
             return Err(Error::FieldOutOfBounds("dtb_size"));
+        } else if self.page_size == 0 {
+            return Err(Error::InvalidFieldValue("page_size", 0));
         }
 
         if let Some(v4) = &self.v4_extra {

From f85b6eec468d0fcaebe190303deb99f3b6d7b894 Mon Sep 17 00:00:00 2001
From: Andrew Gunnerson <accounts+github@chiller3.com>
Date: Tue, 26 Sep 2023 23:47:50 -0400
Subject: [PATCH 2/2] bootimage: Fix panic when validating vendor v4 table size

The multiplication can overflow.

(Found by honggfuzz)

Issue: #160

Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>
---
 avbroot/src/format/bootimage.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/avbroot/src/format/bootimage.rs b/avbroot/src/format/bootimage.rs
index a5308e5..b077c16 100644
--- a/avbroot/src/format/bootimage.rs
+++ b/avbroot/src/format/bootimage.rs
@@ -1020,7 +1020,7 @@ impl<R: Read> FromReader<R> for VendorBootImageV3Through4 {
                     "vendor_ramdisk_table_entry_size",
                     table_entry_size,
                 ));
-            } else if table_size != table_entry_num * table_entry_size {
+            } else if table_entry_num.checked_mul(table_entry_size) != Some(table_size) {
                 return Err(Error::InvalidFieldValue(
                     "vendor_ramdisk_table_size",
                     table_size,