[automerger skipped] Merge Android 13 QPR2 am: 6fdc9953f4 -s ours am: 4dd58128c0 -s ours am: 4241296c2c -s ours
am skip reason: Merged-In I03a56f68a7e53d941809560b943153b8fc31decc with SHA-1 cd47b8f445 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/libufdt/+/2487024
Change-Id: I13480bb2489b45a0eea0310acac16de05ece2df1
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/ufdt_convert.c b/ufdt_convert.c
index 3db12a0..8147f5b 100644
--- a/ufdt_convert.c
+++ b/ufdt_convert.c
@@ -40,6 +40,8 @@
res_ufdt->mem_size_fdtps = DEFAULT_MEM_SIZE_FDTPS;
res_ufdt->num_used_fdtps = (fdtp != NULL ? 1 : 0);
res_ufdt->root = NULL;
+ res_ufdt->phandle_table.data = NULL;
+ res_ufdt->phandle_table.len = 0;
return res_ufdt;
@@ -350,6 +352,11 @@
int data_len = 0;
void *data = ufdt_node_get_fdt_prop_data(&prop_node->parent, &data_len);
+ if (!data) {
+ dto_error("Failed to get property data.\n");
+ return -1;
+ }
+
unsigned int aligned_data_len =
((unsigned int)data_len + (FDT_TAGSIZE - 1u)) & ~(FDT_TAGSIZE - 1u);
diff --git a/ufdt_overlay.c b/ufdt_overlay.c
index 16210ae..69467a6 100644
--- a/ufdt_overlay.c
+++ b/ufdt_overlay.c
@@ -163,7 +163,12 @@
prop_offset = dto_strtoul(offset_ptr, &end_ptr, 10 /* base */);
if (*end_ptr != '\0') {
- dto_error("'%s' is not valid number\n", offset_ptr);
+ dto_error("'%s' is not a valid number\n", offset_ptr);
+ goto fail;
+ }
+
+ if (prop_offset < 0) {
+ dto_error("'%s' is not a valid offset\n", offset_ptr);
goto fail;
}
@@ -183,7 +188,8 @@
/*
* Note that prop_offset is the offset inside the property data.
*/
- if (prop_len < prop_offset + (int)sizeof(uint32_t)) {
+ if (prop_len < (int)sizeof(uint32_t) ||
+ prop_offset > prop_len - (int)sizeof(uint32_t)) {
dto_error("%s: property length is too small for fixup\n", path);
goto fail;
}