dtc: add integer overflow checks in fdt header Protect against integer overflows caused by malformed fdt headers. CRs-Fixed: 749977 Change-Id: I51d87038f520bc761b163d291b0138c513c69a33 Signed-off-by: Vijay Kumar Pendoti <vpendo@codeaurora.org> Signed-off-by: Matt Wagantall <mattw@codeaurora.org>

commit: ea53d779b5045518d1b455769040106e32e6f001 [log] [tgz]
author: Vijay Kumar Pendoti <vpendo@codeaurora.org> Tue Aug 12 20:35:44 2014 +0530
committer: Matt Wagantall <mattw@codeaurora.org> Sat Nov 29 11:11:07 2014 -0800
tree: 623b194d24c770077224724f467aeb22c02301b8
parent: 2bd2a1a16cf35cb9fd2fe0184991c5ad317f9383 [diff] [blame]
diff --git a/scripts/dtc/libfdt/fdt.c b/scripts/dtc/libfdt/fdt.c
index 2acaec5..f4a77f2 100644
--- a/scripts/dtc/libfdt/fdt.c
+++ b/scripts/dtc/libfdt/fdt.c

@@ -71,6 +71,20 @@
 		return -FDT_ERR_BADMAGIC;
 	}
 
+	if (fdt_off_dt_struct(fdt) > (UINT_MAX - fdt_size_dt_struct(fdt)))
+		return FDT_ERR_BADOFFSET;
+
+	if (fdt_off_dt_strings(fdt) > (UINT_MAX -  fdt_size_dt_strings(fdt)))
+		return FDT_ERR_BADOFFSET;
+
+	if ((fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt))
+	    > fdt_totalsize(fdt))
+		return FDT_ERR_BADOFFSET;
+
+	if ((fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt))
+	    > fdt_totalsize(fdt))
+		return FDT_ERR_BADOFFSET;
+
 	return 0;
 }
commit	ea53d779b5045518d1b455769040106e32e6f001	[log] [tgz]
author	Vijay Kumar Pendoti <vpendo@codeaurora.org>	Tue Aug 12 20:35:44 2014 +0530
committer	Matt Wagantall <mattw@codeaurora.org>	Sat Nov 29 11:11:07 2014 -0800
tree	623b194d24c770077224724f467aeb22c02301b8
parent	2bd2a1a16cf35cb9fd2fe0184991c5ad317f9383 [diff] [blame]