[Crosstoolchain-logs] [device-tree-compiler] 166/198: libfdt: check for potential overrun in _fdt_splice()

[Hector Oron]

This is an automated email from the git hooks/post-receive script.

zumbi pushed a commit to branch upstream/1.4.x
in repository device-tree-compiler.

commit d4c7c25c9ed138df8bafbe61097c27c9d2629ee3
Author: Courtney Cavin <courtney.cavin at sonymobile.com>
Date:   Tue Dec 1 16:43:10 2015 -0800

    libfdt: check for potential overrun in _fdt_splice()
    
    This patch catches the conditions where:
     - 'splicepoint' is set to a point outside of [ fdt, fdt_totalsize(fdt) )
     - 'newlen' is negative, or 'splicepoint' plus 'newlen' results in overflow
    
    Either of these cases can be caused by math which overflows in calling
    functions, or by sizes specified through dynamic means.
    
    Signed-off-by: Courtney Cavin <courtney.cavin at sonymobile.com>
    Signed-off-by: Bjorn Andersson <bjorn.andersson at sonymobile.com>
---
 libfdt/fdt_rw.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/libfdt/fdt_rw.c b/libfdt/fdt_rw.c
index 70adec6..8be02b1 100644
--- a/libfdt/fdt_rw.c
+++ b/libfdt/fdt_rw.c
@@ -101,6 +101,8 @@ static int _fdt_splice(void *fdt, void *splicepoint, int oldlen, int newlen)
 
 	if (((p + oldlen) < p) || ((p + oldlen) > end))
 		return -FDT_ERR_BADOFFSET;
+	if ((p < (char *)fdt) || ((end - oldlen + newlen) < (char *)fdt))
+		return -FDT_ERR_BADOFFSET;
 	if ((end - oldlen + newlen) > ((char *)fdt + fdt_totalsize(fdt)))
 		return -FDT_ERR_NOSPACE;
 	memmove(p + newlen, p + oldlen, end - p - oldlen);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/crosstoolchain/device-tree-compiler.git