From patchwork Mon Jan 15 10:02:29 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mario Six X-Patchwork-Id: 860757 X-Patchwork-Delegate: sr@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3zKqMr0YVHz9sBW for ; Mon, 15 Jan 2018 21:29:11 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id 5F7DAC21CB1; Mon, 15 Jan 2018 10:14:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 076A3C21EC3; Mon, 15 Jan 2018 10:07:13 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id 71C4CC21EA2; Mon, 15 Jan 2018 10:06:51 +0000 (UTC) Received: from smtprelay09.ispgateway.de (smtprelay09.ispgateway.de [134.119.228.117]) by lists.denx.de (Postfix) with ESMTPS id 6DE4CC21DDB for ; Mon, 15 Jan 2018 10:06:44 +0000 (UTC) Received: from [80.151.34.241] (helo=bob3.testumgebung.local) by smtprelay09.ispgateway.de with esmtpa (Exim 4.89) (envelope-from ) id 1eb1fA-0000g4-J8; Mon, 15 Jan 2018 11:06:44 +0100 From: Mario Six To: U-Boot Mailing List , Stefan Roese , Masahiro Yamada , Simon Glass , Marek Vasut , Patrice Chotard Date: Mon, 15 Jan 2018 11:02:29 +0100 Message-Id: <20180115100233.19809-23-mario.six@gdsys.cc> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180115100233.19809-1-mario.six@gdsys.cc> References: <20180115100233.19809-1-mario.six@gdsys.cc> X-Df-Sender: bWFyaW8uc2l4QGdkc3lzLmNj Subject: [U-Boot] [RESEND PATCH v2 23/27] cfi_flash: Bound-check index before array access X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" In a while loop in cfi_flash.c the array "start" is accessed at the index "sector" before the index variable "sector" is bounds-checked, which might lead to accesses beyond the bounds of the array. Swap the order of the checks in the "&&" expression, so that the short-circuit evaluation prevents out-of-bounds array accesses. Signed-off-by: Mario Six --- v1 -> v2: None --- drivers/mtd/cfi_flash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.11.0 diff --git a/drivers/mtd/cfi_flash.c b/drivers/mtd/cfi_flash.c index 5ba0c5fdec..61c2e6379d 100644 --- a/drivers/mtd/cfi_flash.c +++ b/drivers/mtd/cfi_flash.c @@ -761,8 +761,8 @@ static flash_sect_t find_sector(flash_info_t *info, ulong addr) if (info != saved_info || sector >= info->sector_count) sector = 0; - while ((info->start[sector] < addr) && - (sector < info->sector_count - 1)) + while ((sector < info->sector_count - 1) && + (info->start[sector] < addr)) sector++; while ((info->start[sector] > addr) && (sector > 0)) /*