Merge "libufdt: don't overflow when handling propeties > INT_MAX in size" into tm-qpr-dev am: b3a49bc3b7

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/libufdt/+/20759190

Change-Id: Id5499c0b895f8f4558e4eb6007887cf0dfe4d0cb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

2 files changed, 11 insertions, 4 deletions

diff --git a/ufdt_convert.c b/ufdt_convert.c
index 990b578..3db12a0 100644
--- a/ufdt_convert.c
+++ b/ufdt_convert.c
@@ -350,10 +350,11 @@ static int _ufdt_output_property_to_fdt(
 
   int data_len = 0;
   void *data = ufdt_node_get_fdt_prop_data(&prop_node->parent, &data_len);
-  int aligned_data_len = (data_len + (FDT_TAGSIZE - 1)) & ~(FDT_TAGSIZE - 1);
+  unsigned int aligned_data_len =
+      ((unsigned int)data_len + (FDT_TAGSIZE - 1u)) & ~(FDT_TAGSIZE - 1u);
 
-  int new_propoff = fdt_size_dt_struct(fdtp);
-  int new_prop_size = sizeof(struct fdt_property) + aligned_data_len;
+  unsigned int new_propoff = fdt_size_dt_struct(fdtp);
+  unsigned int new_prop_size = sizeof(struct fdt_property) + aligned_data_len;
   struct fdt_property *new_prop =
       (struct fdt_property *)((char *)fdtp + fdt_off_dt_struct(fdtp) +
                               new_propoff);
diff --git a/ufdt_node.c b/ufdt_node.c
index 89e2a17..3568ad7 100644
--- a/ufdt_node.c
+++ b/ufdt_node.c
@@ -126,7 +126,13 @@ char *ufdt_node_get_fdt_prop_data(const struct ufdt_node *node, int *out_len) {
   }
   const struct fdt_property *prop = (struct fdt_property *)node->fdt_tag_ptr;
   if (out_len != NULL) {
-    *out_len = fdt32_to_cpu(prop->len);
+    uint32_t prop_len = fdt32_to_cpu(prop->len);
+
+    if (prop_len > INT_MAX) {
+      return NULL;
+    }
+
+    *out_len = prop_len;
   }
   return (char *)prop->data;
 }