device_tree: Fix integer overflowing in load_device_tree()
If the value of get_image_size() exceeds INT_MAX / 2 - 10000, the
computation of @dt_size overflows to a negative number, which then
gets converted to a very large size_t for g_malloc0() and
load_image_size(). In the (fortunately improbable) case g_malloc0()
succeeds and load_image_size() survives, we'd assign the negative
number to *sizep. What that would do to the callers I can't say, but
it's unlikely to be good.
Fix by rejecting images whose size would overflow.
Reported-by: Kurtis Miller <firstname.lastname@example.org>
Signed-off-by: Markus Armbruster <email@example.com>
Reviewed-by: Philippe Mathieu-Daudé <firstname.lastname@example.org>
Signed-off-by: Alistair Francis <email@example.com>