commit 99acc4e291703dd6e9faace3530123774330a5c0
author Bill Yi <byi@google.com> Wed Nov 09 23:23:51 2022 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Nov 09 23:23:51 2022 +0000
tree 2571db2055c44a214cfd22f40946ae80bd59af8c
parent 42f563eca3dd1f382a08bd4a6206d10b95aaa199
parent bca43fa152a84a8c48971b8424a7122c2054f8d4

Merge TP1A.221105.002 to aosp-master - DO NOT MERGE am: bca43fa152

Original change: https://android-review.googlesource.com/c/platform/external/dtc/+/2294418

Change-Id: Ie03c995f5e60db73abb0d6f184e1f0fb4220e090
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

libfdt/fdt.c

diff --git a/libfdt/fdt.c b/libfdt/fdt.c
index 9fe7cf4..c17cad5 100644
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -188,12 +188,20 @@
 		break;
 
 	case FDT_PROP:
-		lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp));
+		lenp = fdt_offset_ptr(fdt, offset, sizeof(struct fdt_property) - FDT_TAGSIZE);
 		if (!can_assume(VALID_DTB) && !lenp)
 			return FDT_END; /* premature end */
-		/* skip-name offset, length and value */
-		offset += sizeof(struct fdt_property) - FDT_TAGSIZE
-			+ fdt32_to_cpu(*lenp);
+
+		/* skip name offset, length */
+		offset += sizeof(struct fdt_property) - FDT_TAGSIZE;
+
+		if (!can_assume(VALID_DTB)
+		    && !fdt_offset_ptr(fdt, offset, fdt32_to_cpu(*lenp)))
+			return FDT_END; /* premature end */
+
+		/* skip value */
+		offset += fdt32_to_cpu(*lenp);
+
 		if (!can_assume(LATEST) &&
 		    fdt_version(fdt) < 0x10 && fdt32_to_cpu(*lenp) >= 8 &&
 		    ((offset - fdt32_to_cpu(*lenp)) % 8) != 0)
@@ -209,7 +217,8 @@
 		return FDT_END;
 	}
 
-	if (!fdt_offset_ptr(fdt, startoffset, offset - startoffset))
+	if (!can_assume(VALID_DTB) && (offset <= startoffset
+	    || !fdt_offset_ptr(fdt, startoffset, offset - startoffset)))
 		return FDT_END; /* premature end */
 
 	*nextoffset = FDT_TAGALIGN(offset);