If the AcOffset is modified by an adversary, the adversary would have an opportunity to perform a classic buffer overflow attack by reading in more data than should be allowed.
Note that the buffer ImageHdr which is used to store the image header read from external memory is stored in the upper portion of OCM memory and lies within address 0xFFFF_0000.
The FSBL cannot be overwritten as the FSBL code resides in the lower portion of OCM memory, but an adversary only needs to overwrite a minimum of 65,535 bytes of data before malicious code can be loaded.
For more information on how to sign up to receive notifications of new Design Advisories, see (Xilinx Answer 18683).
This vulnerability impacts the 2019.1 (and older) FSBL. A patch for the 2019.1 FSBL is linked to this Answer Record.
This issue has been fixed in the 2019.2 version, where the FSBL checks the size before copying and returns an error in case of size overflow.