Peer review fixes (copilot)

src/fdt.c, include/fdt.h
  - Propagate fdt_fixup_initrd error in fit_load_ramdisk so a /chosen
    patch failure no longer silently boots a kernel with no initrd.
  - Add fit_load_image_to(): decompress (or memcpy) directly to a
    caller-supplied destination buffer instead of going through the
    FIT-declared `load` address. fit_load_ramdisk now uses this when
    WOLFBOOT_LOAD_RAMDISK_ADDRESS is set, so the override is a real
    safety bound for compressed ramdisks (previously the gzip stream
    was still inflated to the FIT `load` and only memcpy'd afterward).
  - Refactor fit_load_image_ex into a shared inner helper.
  - Reword the WOLFBOOT_FIT_MAX_DECOMP comment: the cap is a sanity
    ceiling, not a per-destination memory-safety bound. Authenticity
    is provided by the outer wolfBoot signature; tighter bounds need
    fit_load_image_ex / _to with an explicit out_max / dst_max.
  - Add WOLFBOOT_FIT_MAX_RAMDISK (defaults to WOLFBOOT_FIT_MAX_DECOMP)
    so targets can pin a tighter ramdisk decompression bound.

src/update_ram.c, src/update_disk.c
  - Panic when fit_load_image() returns NULL for the kernel subimage
    instead of letting load_address=NULL propagate into do_boot().

tools/unit-tests/unit-gzip.c
  - Add deterministic stored / fixed-Huffman / dynamic-Huffman gzip
    fixtures so the inflater's BTYPE 00/01/10 paths are exercised
    independent of host gzip(1) heuristics.
  - Add FEXTRA / FNAME / FCOMMENT / FHCRC and combined-flag fixtures
    plus a truncated-FEXTRA negative case to cover the optional gzip
    header parser.

tools/unit-tests/unit-fit-gzip.c (new), tools/unit-tests/Makefile
  - New libcheck binary covering the FIT loader's compression
    branches: gzip success, gzip stream corruption, unknown
    compression, compression="none" baseline, and the no-load
    fail-closed path. Built twice from the same source - once with
    WOLFBOOT_GZIP for the success / runtime-failure paths, and once
    without it so the compile-time fail-closed branch is also tested.

Author: dgarske

include/fdt.h

@@ -172,6 +172,12 @@ const char* fit_find_images(void* fdt, const char** pkernel, const char** pflat_
     const char** pramdisk);
 void* fit_load_image(void* fdt, const char* image, int* lenp);
 void* fit_load_image_ex(void* fdt, const char* image, int* lenp, uint32_t out_max);
+/* Load (and, if compressed, decompress) a FIT subimage directly to a
+ * caller-supplied destination buffer. Overrides the FIT image's
+ * `load` and `entry` properties - dst is both the destination and the
+ * value returned. dst_max bounds the decompressed size. */
+void* fit_load_image_to(void* fdt, const char* image, void* dst,
+    uint32_t dst_max, int* lenp);
 
 /* FDT initrd fixup: writes /chosen/linux,initrd-{start,end} as 64-bit
  * big-endian properties. Creates /chosen if missing. Returns 0 on success

src/fdt.c

@@ -34,10 +34,15 @@
 #include "gzip.h"
 #endif
 
-/* Default upper bound on a single FIT subimage's decompressed size.
- * The outer wolfBoot signature already authenticates the FIT, but a
- * concrete cap defends against a malformed-but-signed FIT scribbling
- * across unrelated memory. Override per target via:
+/* Coarse upper bound on a single FIT subimage's decompressed size.
+ * This is a sanity ceiling, not a per-destination memory-safety
+ * bound. Authenticity of the FIT bytes is provided by the outer
+ * wolfBoot signature; this cap is a belt-and-suspenders limit so a
+ * malformed-but-signed gzip stream cannot inflate without bound.
+ * Callers that need a tighter, RAM-window-aware bound should use
+ * fit_load_image_ex() (FIT-`load` destination + explicit out_max)
+ * or fit_load_image_to() (caller-supplied destination + dst_max).
+ * Override per target via:
  *   CFLAGS+=-DWOLFBOOT_FIT_MAX_DECOMP=...
  */
 #ifndef WOLFBOOT_FIT_MAX_DECOMP
@@ -904,13 +909,22 @@ int fdt_fixup_initrd(void* fdt, uint64_t start, uint64_t size)
 #define WOLFBOOT_LOAD_RAMDISK_ADDRESS 0
 #endif
 
+/* Upper bound on the (decompressed) ramdisk size. Defaults to the
+ * generic FIT decompression cap. Targets with a tighter known-safe
+ * RAM window for the ramdisk should override this. */
+#ifndef WOLFBOOT_FIT_MAX_RAMDISK
+#define WOLFBOOT_FIT_MAX_RAMDISK WOLFBOOT_FIT_MAX_DECOMP
+#endif
+
 /* Load a FIT ramdisk subimage and patch the DTB's /chosen
  * linux,initrd-{start,end} to point at it. If
- * WOLFBOOT_LOAD_RAMDISK_ADDRESS is nonzero, the ramdisk is relocated
- * to that fixed address (overrides the FIT's `load` property);
- * otherwise the address fit_load_image returned (FIT-specified or
- * in-FIT pointer) is used as-is. Caller passes the DTB pointer for
- * the initrd fixup, or NULL to skip the fixup.
+ * WOLFBOOT_LOAD_RAMDISK_ADDRESS is nonzero, the ramdisk is loaded
+ * directly to that fixed address - bypassing the FIT's `load`
+ * property entirely - so a gzip-compressed ramdisk is decompressed
+ * straight into the override (with the override capacity acting as
+ * the safety bound). Otherwise the address fit_load_image returned
+ * (FIT-specified or in-FIT pointer) is used as-is. Caller passes the
+ * DTB pointer for the initrd fixup, or NULL to skip the fixup.
  *
  * Returns 0 on success, -1 if the ramdisk node was found but the
  * load failed. The current callers ignore the return value
@@ -926,41 +940,52 @@ int fit_load_ramdisk(void* fit, const char* ramdisk_node, void* dts_addr)
         return -1;
     }
 
-    rd_ptr = (uint8_t*)fit_load_image(fit, ramdisk_node, &rd_size);
-    if (rd_ptr == NULL || rd_size <= 0) {
-        wolfBoot_printf("FIT: ramdisk node present but load failed\n");
-        return -1;
-    }
-
     if (WOLFBOOT_LOAD_RAMDISK_ADDRESS != 0) {
         rd_dst = (uint8_t*)WOLFBOOT_LOAD_RAMDISK_ADDRESS;
-        if (rd_ptr != rd_dst) {
-            wolfBoot_printf("Loading ramdisk: %p -> %p (%d bytes)\n",
-                rd_ptr, rd_dst, rd_size);
-            memcpy(rd_dst, rd_ptr, rd_size);
-        }
-        else {
-            wolfBoot_printf("Loaded ramdisk: %p (%d bytes)\n",
-                rd_dst, rd_size);
+        rd_ptr = (uint8_t*)fit_load_image_to(fit, ramdisk_node,
+            rd_dst, (uint32_t)WOLFBOOT_FIT_MAX_RAMDISK, &rd_size);
+        if (rd_ptr == NULL || rd_size <= 0) {
+            wolfBoot_printf("FIT: ramdisk node present but load failed\n");
+            return -1;
         }
+        wolfBoot_printf("Loaded ramdisk: %p (%d bytes)\n",
+            rd_dst, rd_size);
     }
     else {
+        rd_ptr = (uint8_t*)fit_load_image(fit, ramdisk_node, &rd_size);
+        if (rd_ptr == NULL || rd_size <= 0) {
+            wolfBoot_printf("FIT: ramdisk node present but load failed\n");
+            return -1;
+        }
         rd_dst = rd_ptr;
         wolfBoot_printf("Loaded ramdisk: %p (%d bytes)\n",
             rd_dst, rd_size);
     }
 
     if (dts_addr != NULL) {
-        (void)fdt_fixup_initrd(dts_addr,
+        int frc = fdt_fixup_initrd(dts_addr,
             (uint64_t)(uintptr_t)rd_dst, (uint64_t)rd_size);
+        if (frc != 0) {
+            wolfBoot_printf("FIT: fdt_fixup_initrd failed (rc=%d); "
+                "kernel will not see initrd\n", frc);
+            return -1;
+        }
     }
 
     return 0;
 }
 #endif /* WOLFBOOT_FIT_RAMDISK */
 
-void* fit_load_image_ex(void* fdt, const char* image, int* lenp,
-    uint32_t out_max)
+/* Inner implementation shared by fit_load_image_ex and fit_load_image_to.
+ * When dst_override is non-NULL it replaces the FIT image's `load`
+ * property as the destination, so a compressed (gzip) payload is
+ * decompressed directly into the caller's buffer rather than being
+ * routed through the FIT-declared address. The `entry` property is
+ * also ignored when dst_override is in effect, since the caller wants
+ * the override address back.
+ */
+static void* fit_load_image_inner(void* fdt, const char* image, int* lenp,
+    uint32_t out_max, void* dst_override)
 {
     void *load, *entry, *data = NULL;
     int off, len = 0;
@@ -976,6 +1001,12 @@ void* fit_load_image_ex(void* fdt, const char* image, int* lenp,
         data = (void*)fdt_getprop(fdt, off, "data", &len);
         load = fdt_getprop_address(fdt, off, "load");
         entry = fdt_getprop_address(fdt, off, "entry");
+        if (dst_override != NULL) {
+            /* Caller-supplied destination replaces the FIT load
+             * property and disables `entry` resolution. */
+            load = dst_override;
+            entry = NULL;
+        }
         if (data != NULL) {
             int is_gzip = 0;
             int is_unknown_comp = 0;
@@ -1073,9 +1104,24 @@ void* fit_load_image_ex(void* fdt, const char* image, int* lenp,
 
 }
 
+void* fit_load_image_ex(void* fdt, const char* image, int* lenp,
+    uint32_t out_max)
+{
+    return fit_load_image_inner(fdt, image, lenp, out_max, NULL);
+}
+
 void* fit_load_image(void* fdt, const char* image, int* lenp)
 {
     return fit_load_image_ex(fdt, image, lenp, WOLFBOOT_FIT_MAX_DECOMP);
 }
 
+void* fit_load_image_to(void* fdt, const char* image, void* dst,
+    uint32_t dst_max, int* lenp)
+{
+    if (dst == NULL) {
+        return NULL;
+    }
+    return fit_load_image_inner(fdt, image, lenp, dst_max, dst);
+}
+
 #endif /* (MMU || WOLFBOOT_FDT) && !BUILD_LOADER_STAGE1 */

src/update_disk.c

@@ -548,7 +548,13 @@ void RAMFUNCTION wolfBoot_start(void)
 
         (void)fit_find_images(fit, &kernel, &flat_dt, &ramdisk);
         if (kernel != NULL) {
-            load_address = fit_load_image(fit, kernel, NULL);
+            void *new_load = fit_load_image(fit, kernel, NULL);
+            if (new_load == NULL) {
+                wolfBoot_printf("FIT: failed to load kernel '%s'\r\n",
+                    kernel);
+                wolfBoot_panic();
+            }
+            load_address = new_load;
         }
         if (flat_dt != NULL) {
             uint8_t *dts_ptr = fit_load_image(fit, flat_dt, (int*)&dts_size);

src/update_ram.c

@@ -375,7 +375,12 @@ void RAMFUNCTION wolfBoot_start(void)
 
         (void)fit_find_images(fit, &kernel, &flat_dt, &ramdisk);
         if (kernel != NULL) {
-            load_address = fit_load_image(fit, kernel, NULL);
+            void *new_load = fit_load_image(fit, kernel, NULL);
+            if (new_load == NULL) {
+                wolfBoot_printf("FIT: failed to load kernel '%s'\n", kernel);
+                wolfBoot_panic();
+            }
+            load_address = new_load;
         }
         if (flat_dt != NULL) {
             uint8_t *dts_ptr = fit_load_image(fit, flat_dt, (int*)&dts_size);

tools/unit-tests/Makefile

@@ -59,6 +59,7 @@ TESTS:=unit-parser unit-fdt unit-extflash unit-string unit-spi-flash unit-aes128
        unit-keygen-xmss-params
 TESTS+=unit-tpm-check-rot-auth
 TESTS+=unit-tpm-api-names
+TESTS+=unit-fit-gzip unit-fit-nogzip
 
 include unit-sign-encrypted-output.mkfrag
 
@@ -324,6 +325,19 @@ unit-delta: ../../include/target.h unit-delta.c
 unit-gzip: ../../include/target.h unit-gzip.c
 	gcc -o $@ unit-gzip.c $(CFLAGS) -DWOLFBOOT_GZIP $(LDFLAGS)
 
+# FIT-loader gzip / unsupported-compression branch coverage. Built twice
+# from the same source: once with WOLFBOOT_GZIP (success + decompress
+# failure paths) and once without (compile-time fail-closed path).
+unit-fit-gzip: ../../include/target.h unit-fit-gzip.c
+	gcc -o $@ unit-fit-gzip.c $(CFLAGS) -DWOLFBOOT_FDT -DWOLFBOOT_GZIP \
+		-DWOLFBOOT_NO_PRINTF \
+		-ffunction-sections -fdata-sections $(LDFLAGS) -Wl,--gc-sections
+
+unit-fit-nogzip: ../../include/target.h unit-fit-gzip.c
+	gcc -o $@ unit-fit-gzip.c $(CFLAGS) -DWOLFBOOT_FDT \
+		-DWOLFBOOT_NO_PRINTF \
+		-ffunction-sections -fdata-sections $(LDFLAGS) -Wl,--gc-sections
+
 unit-update-flash: ../../include/target.h unit-update-flash.c
 	gcc -o $@ unit-update-flash.c ../../src/image.c $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sha256.c $(CFLAGS) $(LDFLAGS)