From 4ed6487a19c3b3f8a6c7ef7b72b475d3d5b2fbe1 Mon Sep 17 00:00:00 2001
From: matejcik <ja@matejcik.cz>
Date: Tue, 18 Feb 2020 10:03:12 +0100
Subject: [PATCH] core/sdcard: add out-of-bounds checks to emulator

---
 core/embed/unix/sdcard.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/core/embed/unix/sdcard.c b/core/embed/unix/sdcard.c
index 92a807b16..46cc5b0f2 100644
--- a/core/embed/unix/sdcard.c
+++ b/core/embed/unix/sdcard.c
@@ -34,6 +34,7 @@
 #endif
 
 #define SDCARD_SIZE (64 * 1024 * 1024)
+#define SDCARD_BLOCKS (SDCARD_SIZE / SDCARD_BLOCK_SIZE)
 
 static uint8_t *sdcard_buffer = NULL;
 static secbool sdcard_powered = secfalse;
@@ -103,6 +104,12 @@ secbool sdcard_read_blocks(uint32_t *dest, uint32_t block_num,
   if (sectrue != sdcard_powered) {
     return secfalse;
   }
+  if (block_num >= SDCARD_BLOCKS) {
+    return secfalse;
+  }
+  if (num_blocks > SDCARD_BLOCKS - block_num) {
+    return secfalse;
+  }
   memcpy(dest, sdcard_buffer + block_num * SDCARD_BLOCK_SIZE,
          num_blocks * SDCARD_BLOCK_SIZE);
   return sectrue;
@@ -113,6 +120,12 @@ secbool sdcard_write_blocks(const uint32_t *src, uint32_t block_num,
   if (sectrue != sdcard_powered) {
     return secfalse;
   }
+  if (block_num >= SDCARD_BLOCKS) {
+    return secfalse;
+  }
+  if (num_blocks > SDCARD_BLOCKS - block_num) {
+    return secfalse;
+  }
   memcpy(sdcard_buffer + block_num * SDCARD_BLOCK_SIZE, src,
          num_blocks * SDCARD_BLOCK_SIZE);
   return sectrue;