qcacld-3.0: check the data length when downloading firmware

When downloading a corrupted firmware file that has chunk length in
header which doesn't match the contents, buffer over-read may occur.

To fix it, before downloading the data, ensure the length is equal or
smaller than the left size of the firmware file.

Change-Id: I4e0c6c4423f94f26a8c4573b5d234296890f4ecf
CRs-Fixed: 2314182

core/bmi/src/ol_fw.c

@@ -435,18 +435,22 @@ __ol_transfer_bin_file(struct ol_context *ol_ctx, enum ATH_BIN_FILE file,
 			|| chip_id == AR6320_REV1_3_VERSION
 			|| chip_id == AR6320_REV2_1_VERSION)) {
 
+			bin_off = sizeof(SIGN_HEADER_T);
 			status = bmi_sign_stream_start(address,
 						(uint8_t *)fw_entry->data,
-						sizeof(SIGN_HEADER_T), ol_ctx);
+						bin_off, ol_ctx);
 			if (status != EOK) {
 				BMI_ERR("unable to start sign stream");
 				status = -EINVAL;
 				goto end;
 			}
 
-			bin_off = sizeof(SIGN_HEADER_T);
-			bin_len = sign_header->rampatch_len
-				  - sizeof(SIGN_HEADER_T);
+			bin_len = sign_header->rampatch_len - bin_off;
+			if (bin_len <= 0 || bin_len > fw_entry_size - bin_off) {
+				BMI_ERR("Invalid sign header");
+				status = -EINVAL;
+				goto end;
+			}
 		} else {
 			bin_sign = false;
 			bin_off = 0;
@@ -477,7 +481,7 @@ __ol_transfer_bin_file(struct ol_context *ol_ctx, enum ATH_BIN_FILE file,
 		bin_off += bin_len;
 		bin_len = sign_header->total_len - sign_header->rampatch_len;
 
-		if (bin_len > 0) {
+		if (bin_len > 0 && bin_len <= fw_entry_size - bin_off) {
 			status = bmi_sign_stream_start(0,
 					(uint8_t *)fw_entry->data +
 					bin_off, bin_len, ol_ctx);