Merge Android 13 QPR2
Bug: 273316506
Merged-In: I03a56f68a7e53d941809560b943153b8fc31decc
Change-Id: I220b7e9762876d3e0ff8265fda0083ec1972e400
diff --git a/tests/src/extract_dtb.c b/tests/src/extract_dtb.c
index 8d74324..3e14618 100644
--- a/tests/src/extract_dtb.c
+++ b/tests/src/extract_dtb.c
@@ -22,8 +22,7 @@
#include "util.h"
-
-int find_dtb_header_pos(const char *buf, size_t buf_size) {
+static int find_dtb_header_pos(const char *buf, size_t buf_size) {
if (buf == NULL || buf_size == 0) {
return -1;
}
@@ -44,34 +43,44 @@
return pos;
}
-int find_and_write_dtb(const char *filename,
- const char *buf, size_t buf_size) {
+static int find_and_write_dtb(const char *filename, const char *buf,
+ size_t buf_size) {
int tag_pos = find_dtb_header_pos(buf, buf_size);
if (tag_pos < 0) {
- goto end;
+ return -1;
}
+ buf_size -= tag_pos;
+
+ // Allocate and copy into new buffer to fix memory alignment
+ char *fdt_ptr = malloc(buf_size);
+ if (!fdt_ptr) {
+ fprintf(stderr, "malloc(%u) failed.\n", buf_size - tag_pos);
+ goto error;
+ }
+
+ memcpy(fdt_ptr, buf + tag_pos, buf_size);
+
// Check FDT header
- const char *fdt_ptr = buf + tag_pos;
- if (fdt_check_header(fdt_ptr) != 0) {
- fprintf(stderr, "Bad DTB header.\n");
- goto end;
+ if (fdt_check_full(fdt_ptr, buf_size) != 0) {
+ fprintf(stderr, "Bad DTB.\n");
+ goto error;
}
// Check FDT size and actual size
size_t fdt_size = fdt_totalsize(fdt_ptr);
- size_t fdt_actual_size = buf_size - tag_pos;
- int fdt_size_diff = (int)fdt_actual_size - (int)fdt_size;
- if (fdt_size_diff) {
- fprintf(stderr, "Wrong size: actual size = %d FDT size = %d(%d)\n",
- fdt_actual_size, fdt_size, fdt_size_diff);
+ if (buf_size < fdt_size) {
+ fprintf(stderr,
+ "Wrong size: fdt truncated: buffer size = %zu < FDT size = %zu\n",
+ buf_size, fdt_size);
+ goto error;
}
// Print the DT basic information
int root_node_off = fdt_path_offset(fdt_ptr, "/");
if (root_node_off < 0) {
fprintf(stderr, "Can not get the root node.\n");
- goto end;
+ goto error;
}
printf("Output %s\n", filename);
const char *model =
@@ -84,22 +93,26 @@
// Output DTB file
if (write_fdt_to_file(filename, fdt_ptr) != 0) {
fprintf(stderr, "Write file error: %s\n", filename);
- goto end;
+ goto error;
}
-end:
+ free(fdt_ptr);
+
return tag_pos;
+
+error:
+ if (fdt_ptr) free(fdt_ptr);
+ return -1;
}
-int extract_dtbs(const char *in_filename,
- const char *out_dtb_filename,
- const char *out_image_filename) {
+static int extract_dtbs(const char *in_filename, const char *out_dtb_filename,
+ const char *out_image_filename) {
int ret = 1;
char *buf = NULL;
size_t buf_size;
buf = load_file(in_filename, &buf_size);
- if (!buf) {
+ if (!buf || fdt_check_full(buf, buf_size)) {
fprintf(stderr, "Can not load file: %s\n", in_filename);
goto end;
}
diff --git a/tests/src/fdt_overlay_test_app.c b/tests/src/fdt_overlay_test_app.c
index 3b65a7d..04fcdd9 100644
--- a/tests/src/fdt_overlay_test_app.c
+++ b/tests/src/fdt_overlay_test_app.c
@@ -31,20 +31,25 @@
size_t base_len;
base_buf = load_file(base_filename, &base_len);
- if (!base_buf) {
+ if (!base_buf || fdt_check_full(base_buf, base_len)) {
fprintf(stderr, "Can not load base file: %s\n", base_filename);
goto end;
}
size_t overlay_len;
overlay_buf = load_file(overlay_filename, &overlay_len);
- if (!overlay_buf) {
+ if (!overlay_buf || fdt_check_full(overlay_buf, overlay_len)) {
fprintf(stderr, "Can not load overlay file: %s\n", overlay_filename);
goto end;
}
size_t merged_buf_len = base_len + overlay_len;
merged_buf = dto_malloc(merged_buf_len);
+ if (!merged_buf) {
+ fprintf(stderr, "Malloc failed: %zu bytes needed\n", merged_buf_len);
+ goto end;
+ }
+
fdt_open_into(base_buf, merged_buf, merged_buf_len);
clock_t start = clock();
diff --git a/tests/src/ufdt_overlay_test_app.c b/tests/src/ufdt_overlay_test_app.c
index e73158b..9d47476 100644
--- a/tests/src/ufdt_overlay_test_app.c
+++ b/tests/src/ufdt_overlay_test_app.c
@@ -32,14 +32,14 @@
size_t blob_len;
base_buf = load_file(base_filename, &blob_len);
- if (!base_buf) {
+ if (!base_buf || fdt_check_full(base_buf, blob_len)) {
fprintf(stderr, "Can not load base file: %s\n", base_filename);
goto end;
}
size_t overlay_len;
overlay_buf = load_file(overlay_filename, &overlay_len);
- if (!overlay_buf) {
+ if (!overlay_buf || fdt_check_full(overlay_buf, overlay_len)) {
fprintf(stderr, "Can not load overlay file: %s\n", overlay_filename);
goto end;
}
diff --git a/ufdt_convert.c b/ufdt_convert.c
index 990b578..3db12a0 100644
--- a/ufdt_convert.c
+++ b/ufdt_convert.c
@@ -350,10 +350,11 @@
int data_len = 0;
void *data = ufdt_node_get_fdt_prop_data(&prop_node->parent, &data_len);
- int aligned_data_len = (data_len + (FDT_TAGSIZE - 1)) & ~(FDT_TAGSIZE - 1);
+ unsigned int aligned_data_len =
+ ((unsigned int)data_len + (FDT_TAGSIZE - 1u)) & ~(FDT_TAGSIZE - 1u);
- int new_propoff = fdt_size_dt_struct(fdtp);
- int new_prop_size = sizeof(struct fdt_property) + aligned_data_len;
+ unsigned int new_propoff = fdt_size_dt_struct(fdtp);
+ unsigned int new_prop_size = sizeof(struct fdt_property) + aligned_data_len;
struct fdt_property *new_prop =
(struct fdt_property *)((char *)fdtp + fdt_off_dt_struct(fdtp) +
new_propoff);
diff --git a/ufdt_node.c b/ufdt_node.c
index 89e2a17..3568ad7 100644
--- a/ufdt_node.c
+++ b/ufdt_node.c
@@ -126,7 +126,13 @@
}
const struct fdt_property *prop = (struct fdt_property *)node->fdt_tag_ptr;
if (out_len != NULL) {
- *out_len = fdt32_to_cpu(prop->len);
+ uint32_t prop_len = fdt32_to_cpu(prop->len);
+
+ if (prop_len > INT_MAX) {
+ return NULL;
+ }
+
+ *out_len = prop_len;
}
return (char *)prop->data;
}
diff --git a/ufdt_overlay.c b/ufdt_overlay.c
index 43b4f56..16210ae 100644
--- a/ufdt_overlay.c
+++ b/ufdt_overlay.c
@@ -448,12 +448,14 @@
int len = 0;
prop_offsets_ptr = ufdt_node_get_fdt_prop_data(local_fixup_prop_node, &len);
+ if (prop_offsets_ptr == NULL || len % sizeof(fdt32_t) != 0) return -1;
+
char *prop_data;
int target_length = 0;
prop_data = ufdt_node_get_fdt_prop_data(target_prop_node, &target_length);
- if (prop_offsets_ptr == NULL || prop_data == NULL) return -1;
+ if (prop_data == NULL) return -1;
int i;
for (i = 0; i < len; i += sizeof(fdt32_t)) {
