We have a couple of checks of the form:
if (offset+size > totalsize)
die();
We need to check that offset+size doesn't overflow, otherwise the check
will pass, and we may access past totalsize.
Found with AFL.
Signed-off-by: Anton Blanchard <anton@xxxxxxxxx>
---
I've attached an example device tree, do we want to add binary blobs
to the test suite?
diff --git a/flattree.c b/flattree.c
index bd99fa2..ec14954 100644
--- a/flattree.c
+++ b/flattree.c
@@ -889,7 +889,7 @@ struct boot_info *dt_from_blob(const char *fname)
if (version >= 3) {
uint32_t size_str = fdt32_to_cpu(fdt->size_dt_strings);
- if (off_str+size_str > totalsize)
+ if ((off_str+size_str < off_str) || (off_str+size_str > totalsize))
die("String table extends past total size\n");
inbuf_init(&strbuf, blob + off_str, blob + off_str + size_str);
} else {
@@ -898,7 +898,7 @@ struct boot_info *dt_from_blob(const char *fname)
if (version >= 17) {
size_dt = fdt32_to_cpu(fdt->size_dt_struct);
- if (off_dt+size_dt > totalsize)
+ if ((off_dt+size_dt < off_dt) || (off_dt+size_dt > totalsize))
die("Structure block extends past total size\n");
}
Attachment:
t.dtb
Description: Binary data
