diff options
| author | Pierre-Clément Tosi <ptosi@google.com> | 2023-10-12 13:37:31 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-10-12 13:37:31 +0000 |
| commit | a23524bad8ddf1140e8f225dbf77cbfea02e874b (patch) | |
| tree | df5e71999a8ed9c1d0f04c5d952a121196e50d48 | |
| parent | f25c58e67f56c3f68ad63e05bb95f85f6dee2745 (diff) | |
| parent | 14b204d7072ea39830d84802e11b39dd4f693612 (diff) | |
| download | dtc-a23524bad8ddf1140e8f225dbf77cbfea02e874b.tar.gz | |
Merge changes I0b17b082,I894051ed,I662a5997 into main am: 6cda0a19bb am: 14b204d707
Original change: https://android-review.googlesource.com/c/platform/external/dtc/+/2784256
Change-Id: Iae8a7309c28536ca83f39b2471eaf6bd15006768
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| -rw-r--r-- | libfdt/fdt.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/libfdt/fdt.c b/libfdt/fdt.c index c17cad5..b8ffb33 100644 --- a/libfdt/fdt.c +++ b/libfdt/fdt.c @@ -165,7 +165,7 @@ const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len) uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) { const fdt32_t *tagp, *lenp; - uint32_t tag; + uint32_t tag, len, sum; int offset = startoffset; const char *p; @@ -188,23 +188,22 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) break; case FDT_PROP: - lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE); + lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); if (!can_assume(VALID_DTB) && !lenp) return FDT_END; /* premature end */ - /* skip name offset, length */ - offset += sizeof(struct fdt_property) - FDT_TAGSIZE; - - if (!can_assume(VALID_DTB) - && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp))) + len = fdt32_to_cpu(*lenp); + sum = len + offset; + if (!can_assume(VALID_DTB) && + (INT_MAX <= sum || sum < (uint32_t) offset)) return FDT_END; /* premature end */ - /* skip value */ - offset += fdt32_to_cpu(*lenp); + /* skip-name offset, length and value */ + offset += sizeof(struct fdt_property) - FDT_TAGSIZE + len; if (!can_assume(LATEST) && - fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 && - ((offset - fdt32_to_cpu(*lenp)) % 8) != 0) + fdt_version(fdt) < 0x10 && len >= 8 && + ((offset - len) % 8) != 0) offset += 4; break; |