From d93d355fb64716622859a7ef7dff972caf02956b Mon Sep 17 00:00:00 2001
From: bgkim <bgkim@google.com>
Date: Wed, 28 Aug 2024 12:38:34 -0700
Subject: [PATCH] bootctrl: fixed OOB read in BootControl

Fixed OOB read in BootControl::isSlotMarkedSuccessful() by checking
if "in_slot" is negative

Flag: EXEMPT bugfix
Test: tested on Husky device
Bug: 353516777
Signed-off-by: bgkim <bgkim@google.com>
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:b584b9c7e081d803b32f0ff5f059573dfa6c0a0e)
Merged-In: I634c32a8c12403008fe5a724bc447f82931ae9c5
Change-Id: I634c32a8c12403008fe5a724bc447f82931ae9c5
---
 bootctrl/aidl/BootControl.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/bootctrl/aidl/BootControl.cpp b/bootctrl/aidl/BootControl.cpp
index e771845..d894f8b 100644
--- a/bootctrl/aidl/BootControl.cpp
+++ b/bootctrl/aidl/BootControl.cpp
@@ -384,7 +384,7 @@ ScopedAStatus BootControl::isSlotMarkedSuccessful(int32_t in_slot, bool* _aidl_r
         *_aidl_return = true;
         return ScopedAStatus::ok();
     }
-    if (in_slot >= slots)
+    if (in_slot < 0 || in_slot >= slots)
         return ScopedAStatus::fromServiceSpecificErrorWithMessage(
                 INVALID_SLOT, (std::string("Invalid slot ") + std::to_string(in_slot)).c_str());