diff options
author | Jean-Christophe Dubois <jcd@tribudubois.net> | 2016-07-13 02:31:13 +0200 |
---|---|---|
committer | David Gibson <david@gibson.dropbear.id.au> | 2016-07-24 00:38:00 +1000 |
commit | e24d39a024e608476ffc896c5d02afa117a54cd7 (patch) | |
tree | ba7eebcab6aa04eccfcaca879941d5259dee4534 | |
parent | 44a59713cf0518382cb8fe705f59fd974a1ac030 (diff) | |
download | dtc-e24d39a024e608476ffc896c5d02afa117a54cd7.zip dtc-e24d39a024e608476ffc896c5d02afa117a54cd7.tar.gz dtc-e24d39a024e608476ffc896c5d02afa117a54cd7.tar.bz2 |
fdtdump.c: make sure size_t argument to memchr is always unsigned.
CID 132817 (#1 of 1): Integer overflowed argument (INTEGER_OVERFLOW)
15. overflow_sink: Overflowed or truncated value (or a value computed from an overflowed or truncated value) endp - p - 4L used as critical argument to function.
Signed-off-by: Jean-Christophe Dubois <jcd@tribudubois.net>
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
-rw-r--r-- | fdtdump.c | 10 |
1 files changed, 6 insertions, 4 deletions
@@ -15,6 +15,8 @@ #include "util.h" +#define FDT_MAGIC_SIZE 4 + #define ALIGN(x, a) (((x) + ((a) - 1)) & ~((a) - 1)) #define PALIGN(p, a) ((void *)(ALIGN((unsigned long)(p), (a)))) #define GET_CELL(p) (p += 4, *((const uint32_t *)(p-4))) @@ -188,15 +190,15 @@ int main(int argc, char *argv[]) /* try and locate an embedded fdt in a bigger blob */ if (scan) { - unsigned char smagic[4]; + unsigned char smagic[FDT_MAGIC_SIZE]; char *p = buf; char *endp = buf + len; fdt_set_magic(smagic, FDT_MAGIC); /* poor man's memmem */ - while (true) { - p = memchr(p, smagic[0], endp - p - 4); + while ((endp - p) >= FDT_MAGIC_SIZE) { + p = memchr(p, smagic[0], endp - p - FDT_MAGIC_SIZE); if (!p) break; if (fdt_magic(p) == FDT_MAGIC) { @@ -215,7 +217,7 @@ int main(int argc, char *argv[]) } ++p; } - if (!p) + if (!p || ((endp - p) < FDT_MAGIC_SIZE)) die("%s: could not locate fdt magic\n", file); printf("%s: found fdt at offset %#zx\n", file, p - buf); buf = p; |