From 01b8983f671d515b4f5c982e0e5f2fdb48b6cae3 Mon Sep 17 00:00:00 2001
From: vijay kumar <vpendo@codeaurora.org>
Date: Tue, 12 Aug 2014 20:35:44 +0530
Subject: [PATCH] lib: fdt: add integer overflow checks in fdt header

these checks will usefull in finding the integer overflow
in fdt header fields.

(cherry picked from commit b6b7c1e767cd03e34fe835115d01f83d935abf3a)

Change-Id: I8469116124e4c0086885994132345df95bbf3bdc
Signed-off-by: Kathiravan T <kathirav@codeaurora.org>
---
 lib/libfdt/fdt.c    | 14 ++++++++++++++
 lib/libfdt/fdt_rw.c |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/libfdt/fdt.c b/lib/libfdt/fdt.c
index e146aba6eb..f47e860ea4 100644
--- a/lib/libfdt/fdt.c
+++ b/lib/libfdt/fdt.c
@@ -14,6 +14,8 @@
 
 #include "libfdt_internal.h"
 
+#define UINT_MAX	(~0U)
+
 int fdt_check_header(const void *fdt)
 {
 	if (fdt_magic(fdt) == FDT_MAGIC) {
@@ -30,6 +32,18 @@ int fdt_check_header(const void *fdt)
 		return -FDT_ERR_BADMAGIC;
 	}
 
+	if (fdt_off_dt_struct(fdt) > (UINT_MAX - fdt_size_dt_struct(fdt)))
+		return FDT_ERR_BADOFFSET;
+
+	if (fdt_off_dt_strings(fdt) > (UINT_MAX -  fdt_size_dt_strings(fdt)))
+		return FDT_ERR_BADOFFSET;
+
+	if ((fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt)) > fdt_totalsize(fdt))
+		return FDT_ERR_BADOFFSET;
+
+	if ((fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt)) > fdt_totalsize(fdt))
+		return FDT_ERR_BADOFFSET;
+
 	return 0;
 }
 
diff --git a/lib/libfdt/fdt_rw.c b/lib/libfdt/fdt_rw.c
index 1a358a8ca0..4420e07b64 100644
--- a/lib/libfdt/fdt_rw.c
+++ b/lib/libfdt/fdt_rw.c
@@ -353,7 +353,7 @@ int fdt_del_node(void *fdt, int nodeoffset)
 static void _fdt_packblocks(const char *old, char *new,
 			    int mem_rsv_size, int struct_size)
 {
-	int mem_rsv_off, struct_off, strings_off;
+	uint32_t mem_rsv_off, struct_off, strings_off;
 
 	mem_rsv_off = FDT_ALIGN(sizeof(struct fdt_header), 8);
 	struct_off = mem_rsv_off + mem_rsv_size;