From 7cfe68d965d060dc7d5b094b55e02ce5be15d369 Mon Sep 17 00:00:00 2001
From: Jacob Garber <jgarber1@ualberta.ca>
Date: Tue, 16 Jul 2019 13:14:09 -0600
Subject: device/pci_rom.c: Fix out of bounds read

run_rom->data is a uint16_t, so use the appropriate read function.

Change-Id: Icc14421412885495df90c90ed7da6e7d2eba4182
Signed-off-by: Jacob Garber <jgarber1@ualberta.ca>
Found-by: Coverity CID 1402145
Reviewed-on: https://review.coreboot.org/c/coreboot/+/34372
Reviewed-by: Marshall Dawson <marshalldawson3rd@gmail.com>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 src/device/pci_rom.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/device/pci_rom.c')

diff --git a/src/device/pci_rom.c b/src/device/pci_rom.c
index 34a9a81a52..2b2d46d57b 100644
--- a/src/device/pci_rom.c
+++ b/src/device/pci_rom.c
@@ -192,7 +192,7 @@ static struct rom_header *check_initialized(struct device *dev)
 		return NULL;
 
 	rom_data = (struct pci_data *)((u8 *)run_rom
-			+ read_le32(&run_rom->data));
+			+ read_le16(&run_rom->data));
 
 	if (read_le32(&rom_data->signature) == PCI_DATA_HDR
 			&& read_le16(&rom_data->device) == dev->device
-- 
cgit v1.2.3