Merge Android U (ab/10368041)tmp_amf_298295554

Bug: 291102124
Merged-In: I13480bb2489b45a0eea0310acac16de05ece2df1
Change-Id: I3bcd185528ed2640a619fe261ef5eb316e8769b8

2 files changed, 15 insertions, 2 deletions

diff --git a/ufdt_convert.c b/ufdt_convert.c
index 3db12a0..8147f5b 100644
--- a/ufdt_convert.c
+++ b/ufdt_convert.c
@@ -40,6 +40,8 @@ struct ufdt *ufdt_construct(void *fdtp, struct ufdt_node_pool *pool) {
   res_ufdt->mem_size_fdtps = DEFAULT_MEM_SIZE_FDTPS;
   res_ufdt->num_used_fdtps = (fdtp != NULL ? 1 : 0);
   res_ufdt->root = NULL;
+  res_ufdt->phandle_table.data = NULL;
+  res_ufdt->phandle_table.len = 0;
 
   return res_ufdt;
 
@@ -350,6 +352,11 @@ static int _ufdt_output_property_to_fdt(
 
   int data_len = 0;
   void *data = ufdt_node_get_fdt_prop_data(&prop_node->parent, &data_len);
+  if (!data) {
+    dto_error("Failed to get property data.\n");
+    return -1;
+  }
+
   unsigned int aligned_data_len =
       ((unsigned int)data_len + (FDT_TAGSIZE - 1u)) & ~(FDT_TAGSIZE - 1u);
 
diff --git a/ufdt_overlay.c b/ufdt_overlay.c
index 16210ae..69467a6 100644
--- a/ufdt_overlay.c
+++ b/ufdt_overlay.c
@@ -163,7 +163,12 @@ void *ufdt_get_fixup_location(struct ufdt *tree, const char *fixup) {
 
   prop_offset = dto_strtoul(offset_ptr, &end_ptr, 10 /* base */);
   if (*end_ptr != '\0') {
-    dto_error("'%s' is not valid number\n", offset_ptr);
+    dto_error("'%s' is not a valid number\n", offset_ptr);
+    goto fail;
+  }
+
+  if (prop_offset < 0) {
+    dto_error("'%s' is not a valid offset\n", offset_ptr);
     goto fail;
   }
 
@@ -183,7 +188,8 @@ void *ufdt_get_fixup_location(struct ufdt *tree, const char *fixup) {
   /*
    * Note that prop_offset is the offset inside the property data.
    */
-  if (prop_len < prop_offset + (int)sizeof(uint32_t)) {
+  if (prop_len < (int)sizeof(uint32_t) ||
+      prop_offset > prop_len - (int)sizeof(uint32_t)) {
     dto_error("%s: property length is too small for fixup\n", path);
     goto fail;
   }