Catch unsigned 32bit overflow when parsing flattened device tree offsets

We have a couple of checks of the form:

    if (offset+size > totalsize)

We need to check that offset+size doesn't overflow, otherwise the check
will pass, and we may access past totalsize.

Found with AFL.

Signed-off-by: Anton Blanchard <>
[Added a testcase]
Signed-off-by: David Gibson <>
5 files changed