From patchwork Fri Jan 26 13:43:53 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mario Six X-Patchwork-Id: 866340 X-Patchwork-Delegate: sr@denx.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3zSgRK0X2jz9s7F for ; Sat, 27 Jan 2018 00:55:57 +1100 (AEDT) Received: by lists.denx.de (Postfix, from userid 105) id BDE6BC2258D; Fri, 26 Jan 2018 13:52:49 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 905EEC2256F; Fri, 26 Jan 2018 13:45:41 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id BA05EC22563; Fri, 26 Jan 2018 13:45:09 +0000 (UTC) Received: from smtprelay02.ispgateway.de (smtprelay02.ispgateway.de [80.67.31.29]) by lists.denx.de (Postfix) with ESMTPS id 60F1EC22457 for ; Fri, 26 Jan 2018 13:45:04 +0000 (UTC) Received: from [80.151.34.241] (helo=bob3.testumgebung.local) by smtprelay02.ispgateway.de with esmtpa (Exim 4.89) (envelope-from ) id 1ef4JX-0000Rh-Ca; Fri, 26 Jan 2018 14:45:07 +0100 From: Mario Six To: U-Boot Mailing List , Stefan Roese , Masahiro Yamada , Simon Glass , Marek Vasut , Patrice Chotard Date: Fri, 26 Jan 2018 14:43:53 +0100 Message-Id: <20180126134356.9393-23-mario.six@gdsys.cc> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20180126134356.9393-1-mario.six@gdsys.cc> References: <20180126134356.9393-1-mario.six@gdsys.cc> X-Df-Sender: bWFyaW8uc2l4QGdkc3lzLmNj Subject: [U-Boot] [PATCH v3 23/26] cfi_flash: Bound-check index before array access X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" In a while loop in cfi_flash.c the array "start" is accessed at the index "sector" before the index variable "sector" is bounds-checked, which might lead to accesses beyond the bounds of the array. Swap the order of the checks in the "&&" expression, so that the short-circuit evaluation prevents out-of-bounds array accesses. Signed-off-by: Mario Six --- v2 -> v3: * Added proper commit message v1 -> v2: None --- drivers/mtd/cfi_flash.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.11.0 diff --git a/drivers/mtd/cfi_flash.c b/drivers/mtd/cfi_flash.c index 5ba0c5fdec..61c2e6379d 100644 --- a/drivers/mtd/cfi_flash.c +++ b/drivers/mtd/cfi_flash.c @@ -761,8 +761,8 @@ static flash_sect_t find_sector(flash_info_t *info, ulong addr) if (info != saved_info || sector >= info->sector_count) sector = 0; - while ((info->start[sector] < addr) && - (sector < info->sector_count - 1)) + while ((sector < info->sector_count - 1) && + (info->start[sector] < addr)) sector++; while ((info->start[sector] > addr) && (sector > 0)) /*