[Crosstoolchain-logs] [device-tree-compiler] 167/198: libfdt: Fix undefined behaviour in fdt_offset_ptr()

[Hector Oron]

This is an automated email from the git hooks/post-receive script.

zumbi pushed a commit to branch upstream/1.4.x
in repository device-tree-compiler.

commit d0b3ab0a0f46ac929b4713da46f7fdcd893dd3bd
Author: David Gibson <david at gibson.dropbear.id.au>
Date:   Thu Dec 17 17:19:11 2015 +1100

    libfdt: Fix undefined behaviour in fdt_offset_ptr()
    
    Using pointer arithmetic to generate a pointer outside a known object is,
    technically, undefined behaviour in C.  Unfortunately, we were using that
    in fdt_offset_ptr() to detect overflows.
    
    To fix this we need to do our bounds / overflow checking on the offsets
    before constructing pointers from them.
    
    Reported-by: David Binderman <dcb314 at hotmail.com>
    Signed-off-by: David Gibson <david at gibson.dropbear.id.au>
---
 libfdt/fdt.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/libfdt/fdt.c b/libfdt/fdt.c
index 2ce6a44..22286a1 100644
--- a/libfdt/fdt.c
+++ b/libfdt/fdt.c
@@ -76,18 +76,19 @@ int fdt_check_header(const void *fdt)
 
 const void *fdt_offset_ptr(const void *fdt, int offset, unsigned int len)
 {
-	const char *p;
+	unsigned absoffset = offset + fdt_off_dt_struct(fdt);
+
+	if ((absoffset < offset)
+	    || ((absoffset + len) < absoffset)
+	    || (absoffset + len) > fdt_totalsize(fdt))
+		return NULL;
 
 	if (fdt_version(fdt) >= 0x11)
 		if (((offset + len) < offset)
 		    || ((offset + len) > fdt_size_dt_struct(fdt)))
 			return NULL;
 
-	p = _fdt_offset_ptr(fdt, offset);
-
-	if (p + len < p)
-		return NULL;
-	return p;
+	return _fdt_offset_ptr(fdt, offset);
 }
 
 uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/crosstoolchain/device-tree-compiler.git