From: Raymond Mao <raymond.mao@linaro.org>
Date: Fri, 18 Jul 2025 14:16:16 +0000 (-0700)
Subject: bloblist: fix a potential negative size for memmove
X-Git-Tag: v2026.07-rc1~7^2~3
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=63cc797a7e89a2543c9997a271ad8f02b04a6777;p=thirdparty%2Fu-boot.git

bloblist: fix a potential negative size for memmove

It causes a panic when blob is shrunk and 'new_alloced' is less than
'next_ofs'. The data area that needs to be moved should end up at
'hdr->used_size'.

Fixes: 1fe59375498f ("bloblist: Support resizing a blob")
Signed-off-by: Raymond Mao <raymond.mao@linaro.org>
Reviewed-by: Tom Rini <trini@konsulko.com>
Tested-by: Michal Simek <michal.simek@amd.com>
---

diff --git a/common/bloblist.c b/common/bloblist.c
index 488908f605e..550c0c78ffc 100644
--- a/common/bloblist.c
+++ b/common/bloblist.c
@@ -335,7 +335,7 @@ static int bloblist_resize_rec(struct bloblist_hdr *hdr,
 	next_ofs = bloblist_blob_end_ofs(hdr, rec);
 	if (next_ofs != hdr->used_size) {
 		memmove((void *)hdr + next_ofs + expand_by,
-			(void *)hdr + next_ofs, new_alloced - next_ofs);
+			(void *)hdr + next_ofs, hdr->used_size - next_ofs);
 	}
 	hdr->used_size = new_alloced;