diff options
author | Pierre-Clément Tosi <ptosi@google.com> | 2023-10-12 15:15:38 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2023-10-12 15:15:38 +0000 |
commit | c2970dd8f8aa627226d3c3b8c16a415ecf206655 (patch) | |
tree | df5e71999a8ed9c1d0f04c5d952a121196e50d48 | |
parent | a139df2377e63d35bd87269b31c77cad4884cbca (diff) | |
parent | 13a364e68b5f930d65e4bceb4fb7d9f6aa4556a5 (diff) | |
download | dtc-c2970dd8f8aa627226d3c3b8c16a415ecf206655.tar.gz |
Merge changes I0b17b082,I894051ed,I662a5997 into main am: 6cda0a19bb am: 14b204d707 am: a23524bad8 am: dc5c2d983f am: 13a364e68b
Original change: https://android-review.googlesource.com/c/platform/external/dtc/+/2784256
Change-Id: I2a17540cb29bdcad277dc5bb459dfe03c332b840
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | libfdt/fdt.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/libfdt/fdt.c b/libfdt/fdt.c index c17cad5..b8ffb33 100644 --- a/libfdt/fdt.c +++ b/libfdt/fdt.c @@ -165,7 +165,7 @@ const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len) uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) { const fdt32_t *tagp, *lenp; - uint32_t tag; + uint32_t tag, len, sum; int offset = startoffset; const char *p; @@ -188,23 +188,22 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) break; case FDT_PROP: - lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE); + lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); if (!can_assume(VALID_DTB) && !lenp) return FDT_END; /* premature end */ - /* skip name offset, length */ - offset += sizeof(struct fdt_property) - FDT_TAGSIZE; - - if (!can_assume(VALID_DTB) - && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp))) + len = fdt32_to_cpu(*lenp); + sum = len + offset; + if (!can_assume(VALID_DTB) && + (INT_MAX <= sum || sum < (uint32_t) offset)) return FDT_END; /* premature end */ - /* skip value */ - offset += fdt32_to_cpu(*lenp); + /* skip-name offset, length and value */ + offset += sizeof(struct fdt_property) - FDT_TAGSIZE + len; if (!can_assume(LATEST) && - fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 && - ((offset - fdt32_to_cpu(*lenp)) % 8) != 0) + fdt_version(fdt) < 0x10 && len >= 8 && + ((offset - len) % 8) != 0) offset += 4; break; |