Merge changes I0b17b082,I894051ed,I662a5997 into main am: 6cda0a19bb am: 14b204d707 am: a23524bad8

Original change: https://android-review.googlesource.com/c/platform/external/dtc/+/2784256 Change-Id: Ic7243a79750a8f3057f0109ff11c8163f07544a6 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-10-12 14:10:53 +00:00 · 2023-10-12 14:10:53 +00:00 · dc5c2d983f
commit dc5c2d983f
parent 4b55e461f4 a23524bad8
1 changed files with 10 additions and 11 deletions
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@ -165,7 +165,7 @@ const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
 uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
 {
 	const fdt32_t *tagp, *lenp;
-	uint32_t tag;
+	uint32_t tag, len, sum;
 	int offset = startoffset;
 	const char *p;

@ -188,23 +188,22 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
 		break;

 	case FDT_PROP:
-		lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE);
+		lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
 		if (!can_assume(VALID_DTB) && !lenp)
 			return FDT_END; /* premature end */

-		/* skip name offset, length */
-		offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
-
-		if (!can_assume(VALID_DTB)
-		    && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
+		len = fdt32_to_cpu(*lenp);
+		sum = len + offset;
+		if (!can_assume(VALID_DTB) &&
+		    (INT_MAX <= sum || sum < (uint32_t) offset))
 			return FDT_END; /* premature end */

-		/* skip value */
-		offset += fdt32_to_cpu(*lenp);
+		/* skip-name offset, length and value */
+		offset += sizeof(struct fdt_property) - FDT_TAGSIZE + len;

 		if (!can_assume(LATEST) &&
-		    fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
-		    ((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
+		    fdt_version(fdt) < 0x10 && len >= 8 &&
+		    ((offset - len) % 8) != 0)
 			offset += 4;
 		break;