The fdt_offset_ptr() may return NULL pointer, check the return value from fdt_offset_ptr() for NULL unconditionally to prevent sandbox crashes.
Signed-off-by: Marek Vasut <[email protected]> --- Cc: Adriano Cordova <[email protected]> Cc: Andrew Goodbody <[email protected]> Cc: Christian Marangi <[email protected]> Cc: Heinrich Schuchardt <[email protected]> Cc: Ilias Apalodimas <[email protected]> Cc: Patrice Chotard <[email protected]> Cc: Sam Edwards <[email protected]> Cc: Simon Glass <[email protected]> Cc: Tom Rini <[email protected]> Cc: [email protected] --- scripts/dtc/libfdt/fdt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/dtc/libfdt/fdt.c b/scripts/dtc/libfdt/fdt.c index 95f644c31f9..d16cc3d4730 100644 --- a/scripts/dtc/libfdt/fdt.c +++ b/scripts/dtc/libfdt/fdt.c @@ -168,7 +168,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) *nextoffset = -FDT_ERR_TRUNCATED; tagp = fdt_offset_ptr(fdt, offset, FDT_TAGSIZE); - if (!can_assume(VALID_DTB) && !tagp) + if (!tagp) return FDT_END; /* premature end */ tag = fdt32_to_cpu(*tagp); offset += FDT_TAGSIZE; @@ -186,7 +186,7 @@ uint32_t fdt_next_tag(const void *fdt, int startoffset, int *nextoffset) case FDT_PROP: lenp = fdt_offset_ptr(fdt, offset, sizeof(*lenp)); - if (!can_assume(VALID_DTB) && !lenp) + if (!lenp) return FDT_END; /* premature end */ len = fdt32_to_cpu(*lenp); -- 2.51.0
