rimage: bound extended manifest header read to the section

The extended-manifest validator copied a fixed header from an offset that could
leave fewer than a header's worth of bytes, reading past the section. Require a
whole header to remain before the copy.

Signed-off-by: Liam Girdwood <liam.r.girdwood@linux.intel.com>

Author: lrgirdwo

tools/rimage/src/ext_manifest.c

@@ -69,6 +69,12 @@ static int ext_man_validate(uint32_t section_size, const void *section_data)
 
 	/* copy each head to local struct to omit memory align issues */
 	while (offset < section_size) {
+		/* make sure a whole header remains before copying it out */
+		if (offset + sizeof(head) > section_size) {
+			fprintf(stderr,
+				"error: extended manifest header straddles section end\n");
+			return -EINVAL;
+		}
 		memcpy(&head, &sbuf[offset], sizeof(head));
 		fprintf(stdout, "Extended manifest found module, type: 0x%04X size: 0x%04X (%4d) offset: 0x%04X\n",
 			head.type, head.elem_size, head.elem_size, offset);