libfdt: check for potential overrun in _fdt_splice() This patch catches the conditions where: - 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) ) - 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow Either of these cases can be caused by math which overflows in calling functions, or by sizes specified through dynamic means. Signed-off-by: Courtney Cavin <courtney.cavin@sonymobile.com> Signed-off-by: Bjorn Andersson <bjorn.andersson@sonymobile.com>

commit: d4c7c25c9ed138df8bafbe61097c27c9d2629ee3 [log] [tgz]
author: Courtney Cavin <courtney.cavin@sonymobile.com> Tue Dec 01 16:43:10 2015 -0800
committer: David Gibson <david@gibson.dropbear.id.au> Wed Dec 02 13:11:11 2015 +1100
tree: 9a37858d7e0fea7d58c89a258c7ca346b3511fa5
parent: f58799be130e27cc729cb2d45566daa0bb3b8605 [diff]
diff --git a/libfdt/fdt_rw.c b/libfdt/fdt_rw.c
index 70adec6..8be02b1 100644
--- a/libfdt/fdt_rw.c
+++ b/libfdt/fdt_rw.c

@@ -101,6 +101,8 @@
 
 	if (((p + oldlen) < p) || ((p + oldlen) > end))
 		return -FDT_ERR_BADOFFSET;
+	if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
+		return -FDT_ERR_BADOFFSET;
 	if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
 		return -FDT_ERR_NOSPACE;
 	memmove(p + newlen, p + oldlen, end - p - oldlen);
commit	d4c7c25c9ed138df8bafbe61097c27c9d2629ee3	[log] [tgz]
author	Courtney Cavin <courtney.cavin@sonymobile.com>	Tue Dec 01 16:43:10 2015 -0800
committer	David Gibson <david@gibson.dropbear.id.au>	Wed Dec 02 13:11:11 2015 +1100
tree	9a37858d7e0fea7d58c89a258c7ca346b3511fa5
parent	f58799be130e27cc729cb2d45566daa0bb3b8605 [diff]