Merge changes I0b17b082,I894051ed,I662a5997 into main am: 6cda0a19bb
Original change: https://android-review.googlesource.com/c/platform/external/dtc/+/2784256
Change-Id: I443a3252399495cb3d2274a224e5f9184187e686
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/libfdt/fdt.c b/libfdt/fdt.c
index c17cad5..b8ffb33 100644
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -165,7 +165,7 @@
uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)
{
const fdt32_t *tagp, *lenp;
- uint32_t tag;
+ uint32_t tag, len, sum;
int offset = startoffset;
const char *p;
@@ -188,23 +188,22 @@
break;
case FDT_PROP:
- lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE);
+ lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
if (!can_assume(VALID_DTB) && !lenp)
return FDT_END; /* premature end */
- /* skip name offset, length */
- offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
-
- if (!can_assume(VALID_DTB)
- && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
+ len = fdt32_to_cpu(*lenp);
+ sum = len + offset;
+ if (!can_assume(VALID_DTB) &&
+ (INT_MAX <= sum || sum < (uint32_t) offset))
return FDT_END; /* premature end */
- /* skip value */
- offset += fdt32_to_cpu(*lenp);
+ /* skip-name offset, length and value */
+ offset += sizeof(struct fdt_property) - FDT_TAGSIZE + len;
if (!can_assume(LATEST) &&
- fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
- ((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
+ fdt_version(fdt) < 0x10 && len >= 8 &&
+ ((offset - len) % 8) != 0)
offset += 4;
break;