ANDROID: Revert "Fix integer wrap sanitisation."
This reverts commit 0e783e26f75c08e421467ca4a6c21ff2589cd2fa.
Revert the patch we've had in Android now that upstream has [1]
commit 73590342fc85 ("libfdt: prevent integer overflow in fdt_next_tag")
which addresses the same bug.
As that patch is less rigorous w.r.t. the final value of 'offset' than
the one, the last 'if' is upstreamed by [2], which will be cherry-picked
here.
[1]: https://android.googlesource.com/platform/external/dtc/+/73590342fc85ca207ca1e6cbc110179873a96962
[2]: https://lore.kernel.org/devicetree-compiler/20231011172427.g4tlsew3wsjtddil@google.com/
Test: N/A
Change-Id: I662a599713b4090abd090322bca0a78e58f4c92c
diff --git a/libfdt/fdt.c b/libfdt/fdt.c
index c17cad5..9fe7cf4 100644
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -188,20 +188,12 @@
break;
case FDT_PROP:
- lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE);
+ lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
if (!can_assume(VALID_DTB) && !lenp)
return FDT_END; /* premature end */
-
- /* skip name offset, length */
- offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
-
- if (!can_assume(VALID_DTB)
- && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
- return FDT_END; /* premature end */
-
- /* skip value */
- offset += fdt32_to_cpu(*lenp);
-
+ /* skip-name offset, length and value */
+ offset += sizeof(struct fdt_property) - FDT_TAGSIZE
+ + fdt32_to_cpu(*lenp);
if (!can_assume(LATEST) &&
fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
@@ -217,8 +209,7 @@
return FDT_END;
}
- if (!can_assume(VALID_DTB) && (offset <= startoffset
- || !fdt_offset_ptr(fdt, startoffset, offset - startoffset)))
+ if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
return FDT_END; /* premature end */
*nextoffset = FDT_TAGALIGN(offset);