tequilaOS/platform_external_dtc
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix integer wrap sanitisation.

Browse source 
Test: make check
Test: afl-clang with new corpus data
Bug: 239630493
Change-Id: I232155e7f7a54271a6a3e3a7cd91ed6bbabc051f
This commit is contained in:
Mike McTernan 2022-07-22 11:44:33 +01:00
parent 199ed336cd
commit 05dec6d182
1 changed files with 14 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
libfdt/fdt.c
View file

@ -188,12 +188,20 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
break; break;
case FDT_PROP: case FDT_PROP:
lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE);
if (!can_assume(VALID_DTB) && !lenp) if (!can_assume(VALID_DTB) && !lenp)
return FDT_END; /* premature end */ return FDT_END; /* premature end */
/* skip-name offset, length and value */
offset += sizeof(struct fdt_property) - FDT_TAGSIZE /* skip name offset, length */
+ fdt32_to_cpu(*lenp); offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
if (!can_assume(VALID_DTB)
&& !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
return FDT_END; /* premature end */
/* skip value */
offset += fdt32_to_cpu(*lenp);
if (!can_assume(LATEST) && if (!can_assume(LATEST) &&
fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 && fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
((offset - fdt32_to_cpu(*lenp)) % 8) != 0) ((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
@ -209,7 +217,8 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
return FDT_END; return FDT_END;
} }
if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset)) if (!can_assume(VALID_DTB) && (offset <= startoffset
|| !fdt_offset_ptr(fdt, startoffset, offset - startoffset)))
return FDT_END; /* premature end */ return FDT_END; /* premature end */
*nextoffset = FDT_TAGALIGN(offset); *nextoffset = FDT_TAGALIGN(offset);