Catch unsigned 32bit overflow when parsing flattened device tree offsets

We have a couple of checks of the form: if (offset+size > totalsize) die(); We need to check that offset+size doesn't overflow, otherwise the check will pass, and we may access past totalsize. Found with AFL. Signed-off-by: Anton Blanchard <anton@samba.org> [Added a testcase] Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
2025-10-13 16:27:39 -04:00 · 2016-01-03 08:43:35 +11:00 · 2016-01-03 08:43:35 +11:00 · 2e53f9d2f0
commit 2e53f9d2f0
parent b06e55c88b
5 changed files with 37 additions and 2 deletions
--- a/flattree.c
+++ b/flattree.c
@ -889,7 +889,7 @@ struct boot_info *dt_from_blob(const char *fname)

 	if (version >= 3) {
 		uint32_t size_str = fdt32_to_cpu(fdt->size_dt_strings);
-		if (off_str+size_str > totalsize)
+		if ((off_str+size_str < off_str) || (off_str+size_str > totalsize))
 			die("String table extends past total size\n");
 		inbuf_init(&strbuf, blob + off_str, blob + off_str + size_str);
 	} else {
@ -898,7 +898,7 @@ struct boot_info *dt_from_blob(const char *fname)

 	if (version >= 17) {
 		size_dt = fdt32_to_cpu(fdt->size_dt_struct);
-		if (off_dt+size_dt > totalsize)
+		if ((off_dt+size_dt < off_dt) || (off_dt+size_dt > totalsize))
 			die("Structure block extends past total size\n");
 	}