This is an automated email from Gerrit.
"Name of user not set <sydmonta...@phoenix-staffel.de>" just uploaded a new
patch set to Gerrit, which you can find at
https://review.openocd.org/c/openocd/+/8126
-- gerrit
commit 6802bde3fb2083450d63b1183c45ba404eaa581f
Author: SydMontague <sydmonta...@phoenix-staffel.de>
Date: Fri Feb 2 12:12:48 2024 +0100
jtag/commands: fixed buffer overflow
When performing a command queue allocation larger than the default page
size of 1MiB any subsequent allocations will run into an integer under-
flow when checking for the remaining memory left in the current page.
Cuasing the function returning a pointer past the end of the buffer and
thus creating a buffer overflow.
This has been observed to cause some transfers to Efinix FPGAs to fail,
because another buffer can get corrupted in the process, causing it's
respective free() to fail.
Change-Id: Ic5a0e1774e2dbd58f1a05127f14816c8251a7d9c
Signed-off-by: SydMontague <sydmonta...@phoenix-staffel.de>
diff --git a/src/jtag/commands.c b/src/jtag/commands.c
index 43cda8ad4e..64e89b253d 100644
--- a/src/jtag/commands.c
+++ b/src/jtag/commands.c
@@ -103,7 +103,7 @@ void *cmd_queue_alloc(size_t size)
if (*p_page) {
p_page = &cmd_queue_pages_tail;
- if (CMD_QUEUE_PAGE_SIZE - (*p_page)->used < size)
+ if (CMD_QUEUE_PAGE_SIZE < (*p_page)->used + size)
p_page = &((*p_page)->next);
}
--
