Merge branch 'dev/10/fp2/security-aosp-qt-release' into int/10/fp2
* dev/10/fp2/security-aosp-qt-release:
libfdt: fdt_path_offset_namelen: Reject empty paths
Fix integer wrap sanitisation.
Change-Id: Ica90a3e7d48c681eef9bff73f546da588b3f8e60
diff --git a/libfdt/fdt.c b/libfdt/fdt.c
index 5baaed3..ed7e947 100644
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -124,9 +124,15 @@
lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
if (!lenp)
return FDT_END; /* premature end */
- /* skip-name offset, length and value */
- offset += sizeof(struct fdt_property) - FDT_TAGSIZE
- + fdt32_to_cpu(*lenp);
+
+ /* skip-name offset, length */
+ offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
+
+ if (!fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
+ return FDT_END; /* premature end */
+
+ /* skip value */
+ offset += fdt32_to_cpu(*lenp);
break;
case FDT_END:
@@ -138,7 +144,7 @@
return FDT_END;
}
- if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
+ if (offset <= startoffset || !fdt_offset_ptr(fdt, startoffset, offset - startoffset))
return FDT_END; /* premature end */
*nextoffset = FDT_TAGALIGN(offset);
diff --git a/libfdt/fdt_ro.c b/libfdt/fdt_ro.c
index 08de2cc..3b65f16 100644
--- a/libfdt/fdt_ro.c
+++ b/libfdt/fdt_ro.c
@@ -188,6 +188,9 @@
FDT_CHECK_HEADER(fdt);
+ if (namelen < 1)
+ return -FDT_ERR_BADPATH;
+
/* see if we have an alias */
if (*path != '/') {
const char *q = memchr(path, '/', end - p);