From fc29190dbaf9ca2671f9b5d00ac84af7080bd6e1 Mon Sep 17 00:00:00 2001
From: Eun0us <lemoufidmarouane@gmail.com>
Date: Tue, 10 Feb 2026 19:11:59 +0100
Subject: [PATCH] fix(bootloader): prevent unsigned overflow in partition table
 validation

The bounds check `pos->offset + pos->size > chip_size` can silently
wrap around when both offset and size are large uint32_t values,
bypassing the validation entirely.

Use `pos->size > chip_size - pos->offset` instead, which is safe
because pos->offset <= chip_size is already verified by the first
condition in the same expression.

Found via https://github.com/Eun0us/esp-fuzzer
---
 components/bootloader_support/src/flash_partitions.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/bootloader_support/src/flash_partitions.c b/components/bootloader_support/src/flash_partitions.c
index a2e1fbb893..a971d73a33 100644
--- a/components/bootloader_support/src/flash_partitions.c
+++ b/components/bootloader_support/src/flash_partitions.c
@@ -23,7 +23,7 @@ esp_err_t esp_partition_table_verify(const esp_partition_info_t *partition_table
 
         if (part->magic == ESP_PARTITION_MAGIC) {
             const esp_partition_pos_t *pos = &part->pos;
-            if (pos->offset > chip_size || pos->offset + pos->size > chip_size) {
+            if (pos->offset > chip_size || pos->size > chip_size - pos->offset) {
                 if (log_errors) {
                     ESP_LOGE(TAG, "partition %d invalid - offset 0x%"PRIx32" size 0x%"PRIx32" exceeds flash chip size 0x%"PRIx32,
                              num_parts, pos->offset, pos->size, chip_size);