From 6d53e31cba4ea5494aadb8c6c3f7bc56e17318cd Mon Sep 17 00:00:00 2001
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Tue, 28 Aug 2018 17:26:48 -0700
Subject: [PATCH] garmin: fix file length header parsing

Oops.  I used array_uint16_le() to get the data size.  Too much
copy-and-paste from the profile version (which is indeed 16 bits).

The data size is a 32-bit entity, and this would truncate the data we
read.

Also, verify that there is space for the final CRC in the file, even if
we don't actually check it.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 src/garmin_parser.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/garmin_parser.c b/src/garmin_parser.c
index 22421af..c6cacf7 100644
--- a/src/garmin_parser.c
+++ b/src/garmin_parser.c
@@ -363,6 +363,7 @@ static int traverse_regular(struct garmin_parser_t *garmin,
 			ERROR(garmin->base.context, "Unknown base type %d\n", base_type);
 			data += size;
 			len -= size;
+			total_len += size;
 			continue;
 		}
 		base_size = base_size_array[base_type];
@@ -522,10 +523,10 @@ static int traverse_data(struct garmin_parser_t *garmin)
 	hdrsize = data[0];
 	protocol = data[1];
 	profile = array_uint16_le(data+2);
-	datasize = array_uint16_le(data+4);
+	datasize = array_uint32_le(data+4);
 	if (memcmp(data+8, ".FIT", 4))
 		return -1;
-	if (hdrsize < 12 || datasize > len || datasize + hdrsize > len)
+	if (hdrsize < 12 || datasize > len || datasize + hdrsize + 2 > len)
 		return -1;
 
 	garmin->cache.protocol = protocol;