From 6658ad84d16494736fc179d35afb175818eb492c Mon Sep 17 00:00:00 2001
From: Ondrej Mikle <ondrej.mikle@gmail.com>
Date: Fri, 27 Oct 2023 15:02:20 +0200
Subject: [PATCH] fix(core/bootloader): explicit casts on version compare to
 control signed/unsigned arithmetic mix

---
 core/embed/bootloader/messages.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/core/embed/bootloader/messages.c b/core/embed/bootloader/messages.c
index f469fb91f6..83eb88dd63 100644
--- a/core/embed/bootloader/messages.c
+++ b/core/embed/bootloader/messages.c
@@ -432,18 +432,23 @@ static bool _read_payload(pb_istream_t *stream, const pb_field_t *field,
 }
 
 static int version_compare(uint32_t vera, uint32_t verb) {
+  /* Explicit casts so that we control how compiler does the unsigned shift
+   * and correctly then promote uint8_t to int without possibility of
+   * having implementation-defined right shift on negative int
+   * in case compiler promoted the wrong unsinged int
+   */
   int a, b;
-  a = vera & 0xFF;
-  b = verb & 0xFF;
+  a = (uint8_t)vera & 0xFF;
+  b = (uint8_t)verb & 0xFF;
   if (a != b) return a - b;
-  a = (vera >> 8) & 0xFF;
-  b = (verb >> 8) & 0xFF;
+  a = (uint8_t)(vera >> 8) & 0xFF;
+  b = (uint8_t)(verb >> 8) & 0xFF;
   if (a != b) return a - b;
-  a = (vera >> 16) & 0xFF;
-  b = (verb >> 16) & 0xFF;
+  a = (uint8_t)(vera >> 16) & 0xFF;
+  b = (uint8_t)(verb >> 16) & 0xFF;
   if (a != b) return a - b;
-  a = (vera >> 24) & 0xFF;
-  b = (verb >> 24) & 0xFF;
+  a = (uint8_t)(vera >> 24) & 0xFF;
+  b = (uint8_t)(verb >> 24) & 0xFF;
   return a - b;
 }