Fix for crash-f49d257a34c42fb5620c3153569c573aa51802ec: stack-overflow in parseVolumeNonUefiData

pagabuc · NikolajSchlej · commit 786032de6752 · 2026-02-25T12:29:39.000+01:00
Malformed firmware can cause infinite recursion between parseVolumeBody and parseVolumeNonUefiData when the parent volume has the same offset as the current item. Add a recursion guard to break the cycle. Crash report (crash-f49d257a34c42fb5620c3153569c573aa51802ec): --- ERROR: AddressSanitizer: stack-overflow on address 0x7ffdde142fd8 #0 in TreeModel::base treemodel.cpp #1 in TreeModel::base treemodel.cpp:173 ---
diff --git a/common/ffsparser.cpp b/common/ffsparser.cpp
@@ -1874,7 +1874,11 @@ USTATUS FfsParser::parseVolumeNonUefiData(const UByteArray & data, const UINT32
     // Sanity check
     if (!index.isValid())
         return U_INVALID_PARAMETER;
-    
+
+    // If parent has the same offset as this item, then we are in infinite recursion, so we break here.
+    if (model->offset(index) == localOffset)
+        return U_INVALID_PARAMETER;
+
     // Get info
     UString info = usprintf("Full size: %Xh (%u)", (UINT32)data.size(), (UINT32)data.size());
     
