[OpenOCD-devel] [PATCH]: 07933b8 target, arm_adi_v5: catch two allocation errors

Wed, 17 Jan 2018 02:36:24 -0800 

This is an automated email from Gerrit.

Tomas Vanek (van...@fbl.cz) just uploaded a new patch set to Gerrit, which you 
can find at http://openocd.zylin.com/4349

-- gerrit

commit 07933b8f21d8f38f3c7b335e4880f499b57e5195
Author: Tomas Vanek <van...@fbl.cz>
Date:   Sun Jan 14 23:33:44 2018 +0100

    target, arm_adi_v5: catch two allocation errors
    
    Command
        mdw 0 0x40000000
    triggers Segmentation fault on an arm.
    Size parameter is a nonsence that may happen e.g. if you
    mistype mdw instead of mww.
    
    Add checking for calloc() NULL return in mdb/h/w.
    
    Use calloc() instead of malloc() as multiplication
    count * sizeof(uint32_t) overflows for size >= 0x40000000.
    
    Change-Id: I968c944d863d1173ef932a7077d526fccb9381ae
    Signed-off-by: Tomas Vanek <van...@fbl.cz>

diff --git a/src/target/arm_adi_v5.c b/src/target/arm_adi_v5.c
index a4ca9f1..aa7f4cf 100644
--- a/src/target/arm_adi_v5.c
+++ b/src/target/arm_adi_v5.c
@@ -479,7 +479,8 @@ static int mem_ap_read(struct adiv5_ap *ap, uint8_t 
*buffer, uint32_t size, uint
        /* Allocate buffer to hold the sequence of DRW reads that will be made. 
This is a significant
         * over-allocation if packed transfers are going to be used, but 
determining the real need at
         * this point would be messy. */
-       uint32_t *read_buf = malloc(count * sizeof(uint32_t));
+       uint32_t *read_buf = calloc(count, sizeof(uint32_t));
+       /* Multiplication count * sizeof(uint32_t) may overflow, calloc() is 
safe */
        uint32_t *read_ptr = read_buf;
        if (read_buf == NULL) {
                LOG_ERROR("Failed to allocate read buffer");
diff --git a/src/target/target.c b/src/target/target.c
index d6781a3..52307db 100644
--- a/src/target/target.c
+++ b/src/target/target.c
@@ -3116,6 +3116,10 @@ COMMAND_HANDLER(handle_md_command)
                COMMAND_PARSE_NUMBER(uint, CMD_ARGV[1], count);
 
        uint8_t *buffer = calloc(count, size);
+       if (buffer == NULL) {
+               LOG_ERROR("Failed to allocate md read buffer");
+               return ERROR_FAIL;
+       }
 
        struct target *target = get_current_target(CMD_CTX);
        int retval = fn(target, address, size, count, buffer);

-- 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenOCD-devel mailing list
OpenOCD-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openocd-devel

Reply via email to