From: Patrick Oppenlander <patrick.oppenlander@xxxxxxxxx> fdt_check_header assumes that its argument points to a complete header and can read data beyond the FDT_V1_SIZE bytes which fdt_check_full can provide. fdt_header_size can safely return a header size with FDT_V1_SIZE bytes available and will return a usable value even for a corrupted header. Signed-off-by: Patrick Oppenlander <patrick.oppenlander@xxxxxxxxx> --- libfdt/fdt_check.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/libfdt/fdt_check.c b/libfdt/fdt_check.c index 7f6a96c..9ddfdbf 100644 --- a/libfdt/fdt_check.c +++ b/libfdt/fdt_check.c @@ -22,6 +22,8 @@ int fdt_check_full(const void *fdt, size_t bufsize) if (bufsize < FDT_V1_SIZE) return -FDT_ERR_TRUNCATED; + if (bufsize < fdt_header_size(fdt)) + return -FDT_ERR_TRUNCATED; err = fdt_check_header(fdt); if (err != 0) return err; -- 2.27.0
