Fix integer wrap sanitisation. am: 61e10c9c53 am: 5a3e448a22

Original change: https://googleplex-android-review.googlesource.com/c/platform/external/dtc/+/19606334

Change-Id: I9b5bc2e2c9ac76f4a91529de55f6cfdbd607e3a5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Mike McTernan 2022-08-18 16:28:19 +00:00 committed by Automerger Merge Worker
commit d3f1c05623

View file

@ -124,9 +124,15 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
if (!lenp)
return FDT_END; /* premature end */
/* skip-name offset, length and value */
offset += sizeof(struct fdt_property) - FDT_TAGSIZE
+ fdt32_to_cpu(*lenp);
/* skip-name offset, length */
offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
if (!fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
return FDT_END; /* premature end */
/* skip value */
offset += fdt32_to_cpu(*lenp);
break;
case FDT_END:
@ -138,7 +144,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
return FDT_END;
}
if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
if (offset <= startoffset || !fdt_offset_ptr(fdt, startoffset, offset - startoffset))
return FDT_END; /* premature end */
*nextoffset = FDT_TAGALIGN(offset);