From 3783e28f0e57bf47ba12c67df9e0f09143b17abd Mon Sep 17 00:00:00 2001
From: Angus Gratton <angus@espressif.com>
Date: Fri, 30 Dec 2016 13:16:22 +1100
Subject: [PATCH] bootloader: Check all partitions fit inside configured flash
 size

---
 .../bootloader_support/src/flash_partitions.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/components/bootloader_support/src/flash_partitions.c b/components/bootloader_support/src/flash_partitions.c
index ed427df1a6..b60968f969 100644
--- a/components/bootloader_support/src/flash_partitions.c
+++ b/components/bootloader_support/src/flash_partitions.c
@@ -13,32 +13,43 @@
 // limitations under the License.
 #include "esp_flash_partitions.h"
 #include "esp_log.h"
+#include "rom/spi_flash.h"
 
 static const char *TAG = "flash_parts";
 
 esp_err_t esp_partition_table_basic_verify(const esp_partition_info_t *partition_table, bool log_errors, int *num_partitions)
 {
   int num_parts;
+  uint32_t chip_size = g_rom_flashchip.chip_size;
   *num_partitions = 0;
 
   for(num_parts = 0; num_parts < ESP_PARTITION_TABLE_MAX_ENTRIES; num_parts++) {
     const esp_partition_info_t *part = &partition_table[num_parts];
 
-    if(part->magic == 0xFFFF
-       && part->type == PART_TYPE_END
-       && part->subtype == PART_SUBTYPE_END) {
+    if (part->magic == 0xFFFF
+        && part->type == PART_TYPE_END
+        && part->subtype == PART_SUBTYPE_END) {
       /* TODO: check md5 */
       ESP_LOGD(TAG, "partition table verified, %d entries", num_parts);
       *num_partitions = num_parts;
       return ESP_OK;
     }
 
-    if(part->magic != ESP_PARTITION_MAGIC) {
+    if (part->magic != ESP_PARTITION_MAGIC) {
         if (log_errors) {
             ESP_LOGE(TAG, "partition %d invalid magic number 0x%x", num_parts, part->magic);
         }
         return ESP_ERR_INVALID_STATE;
     }
+
+    const esp_partition_pos_t *pos = &part->pos;
+    if (pos->offset > chip_size || pos->offset + pos->size > chip_size) {
+        if (log_errors) {
+            ESP_LOGE(TAG, "partition %d invalid - offset 0x%x size 0x%x exceeds flash chip size 0x%x",
+                     num_parts, pos->offset, pos->size, chip_size);
+        }
+        return ESP_ERR_INVALID_SIZE;
+    }
   }
 
   if (log_errors) {