This is an automated email from Gerrit. "Name of user not set <sydmonta...@phoenix-staffel.de>" just uploaded a new patch set to Gerrit, which you can find at https://review.openocd.org/c/openocd/+/8126
-- gerrit commit 6802bde3fb2083450d63b1183c45ba404eaa581f Author: SydMontague <sydmonta...@phoenix-staffel.de> Date: Fri Feb 2 12:12:48 2024 +0100 jtag/commands: fixed buffer overflow When performing a command queue allocation larger than the default page size of 1MiB any subsequent allocations will run into an integer under- flow when checking for the remaining memory left in the current page. Cuasing the function returning a pointer past the end of the buffer and thus creating a buffer overflow. This has been observed to cause some transfers to Efinix FPGAs to fail, because another buffer can get corrupted in the process, causing it's respective free() to fail. Change-Id: Ic5a0e1774e2dbd58f1a05127f14816c8251a7d9c Signed-off-by: SydMontague <sydmonta...@phoenix-staffel.de> diff --git a/src/jtag/commands.c b/src/jtag/commands.c index 43cda8ad4e..64e89b253d 100644 --- a/src/jtag/commands.c +++ b/src/jtag/commands.c @@ -103,7 +103,7 @@ void *cmd_queue_alloc(size_t size) if (*p_page) { p_page = &cmd_queue_pages_tail; - if (CMD_QUEUE_PAGE_SIZE - (*p_page)->used < size) + if (CMD_QUEUE_PAGE_SIZE < (*p_page)->used + size) p_page = &((*p_page)->next); } --