diff options
author | Angel Pons <th3fanbus@gmail.com> | 2020-03-31 15:34:35 +0200 |
---|---|---|
committer | Angel Pons <th3fanbus@gmail.com> | 2020-04-25 15:16:24 +0000 |
commit | e0272e2b6f8860152d0edf72263a80426fd7d5e3 (patch) | |
tree | 722d2e87c2a1e30773963921fe68a4ef6e5a68c9 | |
parent | 2ee489d7ef5b653c50522a8dad699eee622078ab (diff) | |
download | flashrom-e0272e2b6f8860152d0edf72263a80426fd7d5e3.tar.gz flashrom-e0272e2b6f8860152d0edf72263a80426fd7d5e3.tar.bz2 flashrom-e0272e2b6f8860152d0edf72263a80426fd7d5e3.zip |
ft2232_spi.c: Improve handling of static buffer
If `buf` became NULL because of an error, subsequent calls to the
`ft2232_spi_send_command` function with a smaller buffer size will
result in a null pointer dereference. Add an additional null check
before using `buf` to prevent that. Moreover, use `size_t` for the
`bufsize` and `oldbufsize` variables, as it's what `realloc` uses.
Change-Id: Idc4237ddca94c42ce2a930e6d00fd2d14e4f125c
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/39975
Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
-rw-r--r-- | ft2232_spi.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/ft2232_spi.c b/ft2232_spi.c index 520eb6e1..9f4c7f03 100644 --- a/ft2232_spi.c +++ b/ft2232_spi.c @@ -468,8 +468,8 @@ static int ft2232_spi_send_command(struct flashctx *flash, static unsigned char *buf = NULL; /* failed is special. We use bitwise ops, but it is essentially bool. */ int i = 0, ret = 0, failed = 0; - int bufsize; - static int oldbufsize = 0; + size_t bufsize; + static size_t oldbufsize = 0; if (writecnt > 65536 || readcnt > 65536) return SPI_INVALID_LENGTH; @@ -477,7 +477,7 @@ static int ft2232_spi_send_command(struct flashctx *flash, /* buf is not used for the response from the chip. */ bufsize = max(writecnt + 9, 260 + 9); /* Never shrink. realloc() calls are expensive. */ - if (bufsize > oldbufsize) { + if (!buf || bufsize > oldbufsize) { buf = realloc(buf, bufsize); if (!buf) { msg_perr("Out of memory!\n"); |