1 files changed, 27 insertions, 12 deletions

diff --git a/common/filetype.c b/common/filetype.c
index b8d54f7fe0..c1bd11db8c 100644
--- a/common/filetype.c
+++ b/common/filetype.c
@@ -105,19 +105,24 @@ enum filetype is_fat_or_mbr(const unsigned char *sector, unsigned long *bootsec)
 	return filetype_mbr;
 }
 
-enum filetype file_detect_type(void *_buf)
+enum filetype file_detect_type(void *_buf, size_t bufsize)
 {
 	u32 *buf = _buf;
 	u64 *buf64 = _buf;
 	u8 *buf8 = _buf;
 	enum filetype type;
 
+	if (bufsize < 9)
+		return filetype_unknown;
+
 	if (strncmp(buf8, "#!/bin/sh", 9) == 0)
 		return filetype_sh;
-	if (is_barebox_arm_head(_buf))
-		return filetype_arm_barebox;
-	if (buf[9] == 0x016f2818 || buf[9] == 0x18286f01)
-		return filetype_arm_zimage;
+
+	if (bufsize < 32)
+		return filetype_unknown;
+
+	if (strncmp(buf8, "BM", 2) == 0)
+		return filetype_bmp;
 	if (buf8[0] == 0x89 && buf8[1] == 0x4c && buf8[2] == 0x5a &&
 			buf8[3] == 0x4f)
 		return filetype_lzo_compressed;
@@ -136,15 +141,25 @@ enum filetype file_detect_type(void *_buf)
 		return filetype_oftree;
 	if (strncmp(buf8, "ANDROID!", 8) == 0)
 		return filetype_aimage;
+	if (buf64[0] == le64_to_cpu(0x0a1a0a0d474e5089ull))
+		return filetype_png;
 	if (strncmp(buf8 + 0x10, "barebox", 7) == 0)
 		return filetype_mips_barebox;
+
+	if (bufsize < 64)
+		return filetype_unknown;
+
+	if (is_barebox_arm_head(_buf))
+		return filetype_arm_barebox;
+	if (buf[9] == 0x016f2818 || buf[9] == 0x18286f01)
+		return filetype_arm_zimage;
+
+	if (bufsize < 512)
+		return filetype_unknown;
+
 	type = is_fat_or_mbr(buf8, NULL);
 	if (type != filetype_unknown)
 		return type;
-	if (strncmp(buf8, "BM", 2) == 0)
-		return filetype_bmp;
-	if (buf64[0] == le64_to_cpu(0x0a1a0a0d474e5089ull))
-		return filetype_png;
 
 	return filetype_unknown;
 }
@@ -160,13 +175,13 @@ enum filetype file_name_detect_type(const char *filename)
 	if (fd < 0)
 		return fd;
 
-	buf = xzalloc(512);
+	buf = xzalloc(FILE_TYPE_SAFE_BUFSIZE);
 
-	ret = read(fd, buf, 512);
+	ret = read(fd, buf, FILE_TYPE_SAFE_BUFSIZE);
 	if (ret < 0)
 		goto err_out;
 
-	type = file_detect_type(buf);
+	type = file_detect_type(buf, ret);
 
 	if (type == filetype_mbr) {
 		/*