diff mbox series

[U-Boot,RESEND,v2,23/27] cfi_flash: Bound-check index before array access

Message ID 20180115100233.19809-23-mario.six@gdsys.cc
State Superseded
Delegated to: Stefan Roese
Headers show
Series [U-Boot,RESEND,v2,01/27] cfi_flash: Fix space between function name and parenthesis | expand

Commit Message

Mario Six Jan. 15, 2018, 10:02 a.m. UTC 
In a while loop in cfi_flash.c the array "start" is accessed at the index
"sector" before the index variable "sector" is bounds-checked, which
might lead to accesses beyond the bounds of the array.

Swap the order of the checks in the "&&" expression, so that the
short-circuit evaluation prevents out-of-bounds array accesses.

Signed-off-by: Mario Six <mario.six@gdsys.cc>
---

v1 -> v2:
None

---
 drivers/mtd/cfi_flash.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
2.11.0
diff mbox series

Patch

diff --git a/drivers/mtd/cfi_flash.c b/drivers/mtd/cfi_flash.c
index 5ba0c5fdec..61c2e6379d 100644
--- a/drivers/mtd/cfi_flash.c
+++ b/drivers/mtd/cfi_flash.c
@@ -761,8 +761,8 @@  static flash_sect_t find_sector(flash_info_t *info, ulong addr)
 	if (info != saved_info || sector >= info->sector_count)
 		sector = 0;

-	while ((info->start[sector] < addr) &&
-		(sector < info->sector_count - 1))
+	while ((sector < info->sector_count - 1) &&
+		(info->start[sector] < addr))
 		sector++;
 	while ((info->start[sector] > addr) && (sector > 0))
 		/*