From: Courtney Cavin <courtney.cavin@xxxxxxxxxxxxxx> This patch catches the conditions where: - 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) ) - 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow Either of these cases can be caused by math which overflows in calling functions, or by sizes specified through dynamic means. Signed-off-by: Courtney Cavin <courtney.cavin@xxxxxxxxxxxxxx> Signed-off-by: Bjorn Andersson <bjorn.andersson@xxxxxxxxxxxxxx> --- libfdt/fdt_rw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libfdt/fdt_rw.c b/libfdt/fdt_rw.c index 70adec6c371b..8be02b1f68f3 100644 --- a/libfdt/fdt_rw.c +++ b/libfdt/fdt_rw.c @@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen) if (((p + oldlen) < p) || ((p + oldlen) > end)) return -FDT_ERR_BADOFFSET; + if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt)) + return -FDT_ERR_BADOFFSET; if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt))) return -FDT_ERR_NOSPACE; memmove(p + newlen, p + oldlen, end - p - oldlen); -- 2.4.2 -- To unsubscribe from this list: send the line "unsubscribe devicetree-compiler" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
