The buffer gets allocated with the block device of size SECTOR_SIZE, but an ill-formed GPT header_size may exceed it resulting in heap-overflow. Signed-off-by: Abdelrahman Youssef <abdelrahmanyossef12@xxxxxxxxx> --- common/partitions/efi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/partitions/efi.c b/common/partitions/efi.c index 829360da6e..9a04b7014d 100644 --- a/common/partitions/efi.c +++ b/common/partitions/efi.c @@ -173,6 +173,9 @@ static int is_gpt_valid(struct block_device *blk, u64 lba, goto fail; } + if (le32_to_cpu((*gpt)->header_size) > bdev_logical_block_size(blk)) + goto fail; + /* Check the GUID Partition Table CRC */ origcrc = le32_to_cpu((*gpt)->header_crc32); (*gpt)->header_crc32 = 0; -- 2.43.0