From 4746554954fef059eb5240166feca4f9870d38e3 Mon Sep 17 00:00:00 2001
From: Ivan Grokhotkov <ivan@espressif.com>
Date: Mon, 11 Dec 2023 23:04:35 +0800
Subject: [PATCH] fix(nvs): prevent out of bounds write if blob data is
 inconsistent

---
 components/nvs_flash/src/nvs_storage.cpp | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/components/nvs_flash/src/nvs_storage.cpp b/components/nvs_flash/src/nvs_storage.cpp
index 194bfe2b0c..4c6ee0816b 100644
--- a/components/nvs_flash/src/nvs_storage.cpp
+++ b/components/nvs_flash/src/nvs_storage.cpp
@@ -512,6 +512,11 @@ esp_err_t Storage::readMultiPageBlob(uint8_t nsIndex, const char* key, void* dat
             }
             return err;
         }
+        if (item.varLength.dataSize > dataSize - offset) {
+            /* The size of the entry in the index is inconsistent with the sum of the sizes of chunks */
+            err = ESP_ERR_NVS_INVALID_LENGTH;
+            break;
+        }
         err = findPage->readItem(nsIndex, ItemType::BLOB_DATA, key, static_cast<uint8_t*>(data) + offset, item.varLength.dataSize, static_cast<uint8_t> (chunkStart) + chunkNum);
         if (err != ESP_OK) {
             return err;
@@ -520,11 +525,14 @@ esp_err_t Storage::readMultiPageBlob(uint8_t nsIndex, const char* key, void* dat
 
         offset += item.varLength.dataSize;
     }
+
+    if (err == ESP_ERR_NVS_NOT_FOUND || err == ESP_ERR_NVS_INVALID_LENGTH) {
+        // cleanup if a chunk is not found or the size is inconsistent
+        eraseMultiPageBlob(nsIndex, key);
+    }
+
     NVS_ASSERT_OR_RETURN(offset == dataSize, ESP_FAIL);
 
-    if (err == ESP_ERR_NVS_NOT_FOUND) {
-        eraseMultiPageBlob(nsIndex, key); // cleanup if a chunk is not found
-    }
     return err;
 }