From 97612228ba81aa65733b9995d20626a31f4954c9 Mon Sep 17 00:00:00 2001 From: Andrew Bradford Date: Mon, 6 Jul 2026 13:16:40 -0400 Subject: [PATCH] zynqmp: Fix null pHT segfault verifying partition-only images VerifyHeaderTableSignature() segfaulted on images with no bootloader partition (boot header sourceOffset == 0), such as a standalone signed FIT/Linux partition. That branch computed the signed header-block size from the pHT member, but ReadHeaderTableDetails() release()s each partition-header-table into the pHTs list, leaving pHT null. Normal bootloader images take the sourceOffset != 0 branch and never hit this, which is why it only showed up on partition-only images. Signed-off-by: Andrew Bradford --- zynqmp/src/verifyimage-zynqmp.cpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/zynqmp/src/verifyimage-zynqmp.cpp b/zynqmp/src/verifyimage-zynqmp.cpp index 361665a..e9c88b1 100755 --- a/zynqmp/src/verifyimage-zynqmp.cpp +++ b/zynqmp/src/verifyimage-zynqmp.cpp @@ -196,7 +196,15 @@ void ZynqMpReadImage::VerifyHeaderTableSignature() size_t headersSize = bH->sourceOffset - bH->imageHeaderByteOffset - RSA_4096_KEY_LENGTH; if(bH->sourceOffset == 0) { - headersSize = (pHT->partitionWordOffset * 4) - bH->imageHeaderByteOffset - RSA_4096_KEY_LENGTH; + /* With no bootloader partition, the boot header carries no source offset + to mark the end of the signed header block, so use the first partition's + data offset instead. Read it from the pHTs list: ReadHeaderTableDetails + releases each table into pHTs, leaving the pHT member null. */ + if (pHTs.empty()) + { + LOG_ERROR("No partition headers found in bootimage file %s", binFilename.c_str()); + } + headersSize = (pHTs.front()->partitionWordOffset * 4) - bH->imageHeaderByteOffset - RSA_4096_KEY_LENGTH; } auto tempBuffer = std::make_unique(headersSize); memset(tempBuffer.get(), 0, headersSize);