From 00d05bc8a20abfdc2d692cccb250844f1477e95a Mon Sep 17 00:00:00 2001
From: Cyril Bur <cyril.bur@au1.ibm.com>
Date: Thu, 3 Aug 2017 16:45:43 +1000
Subject: libflash/blocklevel: Fix theoretical use after free (CID 145924)

If we extend the ECC protection array and subsequently decide to merge
regions in one call then there would be a use after free bug. While this
exists in theory and was caught by Coverity, it should never happen
since we only merge regions if we're low on space but the cause of the
use after free is due to having just created more space.

Nevertheless, this is the kind of ticking timebomb that simply requires
some code rearrangement or different 'optimisations' to become possible.
Best to just make it impossible.

Fixes CID 145924

Signed-off-by: Cyril Bur <cyril.bur@au1.ibm.com>
Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
---
 libflash/blocklevel.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/libflash/blocklevel.c b/libflash/blocklevel.c
index d2b7eaa..33d5c5d 100644
--- a/libflash/blocklevel.c
+++ b/libflash/blocklevel.c
@@ -591,6 +591,7 @@ static bool insert_bl_prot_range(struct blocklevel_range *ranges, struct bl_prot
 		memcpy(&new_ranges[insert_pos], &range, sizeof(range));
 		ranges->prot = new_ranges;
 		ranges->n_prot++;
+		prot = new_ranges;
 	}
 
 	/* Probably only worth mergeing when we're low on space */
-- 
cgit v1.1