From 3a663227a3c2206981dafe911883c983dd2bb9b8 Mon Sep 17 00:00:00 2001
From: Vijay Kumar Pendoti <vpendo@codeaurora.org>
Date: Tue, 14 Sep 2021 16:54:48 +0530
Subject: [PATCH] lib: fdt: fix integer overflow check

Signed-off-by: Rajkumar Ayyasamy <arajkuma@codeaurora.org>
Change-Id: I5649ff5c24cdb6b60f546417555f38691cd1005a
---
 lib/libfdt/fdt.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/libfdt/fdt.c b/lib/libfdt/fdt.c
index f47e860ea4..673bab44e6 100644
--- a/lib/libfdt/fdt.c
+++ b/lib/libfdt/fdt.c
@@ -18,6 +18,9 @@
 
 int fdt_check_header(const void *fdt)
 {
+	uintptr_t fdt_start, fdt_end;
+	fdt_start = (uintptr_t)fdt;
+
 	if (fdt_magic(fdt) == FDT_MAGIC) {
 		/* Complete tree */
 		if (fdt_version(fdt) < FDT_FIRST_SUPPORTED_VERSION)
@@ -32,16 +35,22 @@ int fdt_check_header(const void *fdt)
 		return -FDT_ERR_BADMAGIC;
 	}
 
-	if (fdt_off_dt_struct(fdt) > (UINT_MAX - fdt_size_dt_struct(fdt)))
+	if(fdt_start + fdt_totalsize(fdt) < fdt_start)
+	{
+		return FDT_ERR_BADOFFSET;
+	}
+	fdt_end = fdt_start + fdt_totalsize(fdt);
+
+	if (((uint64_t)fdt_start + (uint64_t)fdt_off_dt_struct(fdt) + (uint64_t)fdt_size_dt_struct(fdt)) > UINT_MAX)
 		return FDT_ERR_BADOFFSET;
 
-	if (fdt_off_dt_strings(fdt) > (UINT_MAX -  fdt_size_dt_strings(fdt)))
+	if ((fdt_start + fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt)) > fdt_end)
 		return FDT_ERR_BADOFFSET;
 
-	if ((fdt_off_dt_struct(fdt) + fdt_size_dt_struct(fdt)) > fdt_totalsize(fdt))
+	if (((uint64_t)fdt_start + (uint64_t)fdt_off_dt_strings(fdt) + (uint64_t)fdt_size_dt_strings(fdt)) > UINT_MAX)
 		return FDT_ERR_BADOFFSET;
 
-	if ((fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt)) > fdt_totalsize(fdt))
+	if ((fdt_start + fdt_off_dt_strings(fdt) + fdt_size_dt_strings(fdt)) > fdt_end)
 		return FDT_ERR_BADOFFSET;
 
 	return 0;