From c0c2e115f82ed3bc5f9d3f9e5380f0f7e81a1c21 Mon Sep 17 00:00:00 2001 From: LoveSy Date: Wed, 15 Dec 2021 17:30:11 +0800 Subject: [PATCH] Fix a UB when fdt_get_string return null When fdt_get_string return null, `namep` is not correctly reset. From the document of `fdt_getprop_by_offset`, the parameter `namep` will be always overwritten (that is, it will be overwritten without exception of error occurance). As for the caller (like https://github.com/topjohnwu/Magisk/blob/e097c097feb881f6097b6d1dc346f310bc92f5d6/native/jni/magiskboot/dtb.cpp#L42), the code may be like: ```cpp size_t size; const char *name; auto *value = fdt_getprop_by_offset(fdt, prop, &name, &size); ``` and if `value == nullptr`, `size` is also be overwritten correctly but `name` is not, which is quite inconsistent. This commit makes sure `name` and `size` behavior consistently (reset to reasonable value) when error occurs. Signed-off-by: LoveSy Signed-off-by: David Gibson --- libfdt/fdt_ro.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libfdt/fdt_ro.c b/libfdt/fdt_ro.c index 17584da..9f6c551 100644 --- a/libfdt/fdt_ro.c +++ b/libfdt/fdt_ro.c @@ -481,12 +481,12 @@ const void *fdt_getprop_by_offset(const void *fdt, int offset, if (!can_assume(VALID_INPUT)) { name = fdt_get_string(fdt, fdt32_ld_(&prop->nameoff), &namelen); + *namep = name; if (!name) { if (lenp) *lenp = namelen; return NULL; } - *namep = name; } else { *namep = fdt_string(fdt, fdt32_ld_(&prop->nameoff)); }