diff options
author | Tomas Vanek <vanekt@fbl.cz> | 2018-01-14 23:33:44 +0100 |
---|---|---|
committer | Tomas Vanek <vanekt@fbl.cz> | 2018-01-25 07:20:48 +0000 |
commit | ff623b83fc74d40adcdfb36454393cf307d70f08 (patch) | |
tree | b04cae8c9a10f7e9f998d7d3f9ad8ba65943fa61 | |
parent | edb67962865d5d3cc4a8ec1790b4c8c5327e98fd (diff) | |
download | riscv-openocd-ff623b83fc74d40adcdfb36454393cf307d70f08.zip riscv-openocd-ff623b83fc74d40adcdfb36454393cf307d70f08.tar.gz riscv-openocd-ff623b83fc74d40adcdfb36454393cf307d70f08.tar.bz2 |
target, arm_adi_v5: catch two allocation errors
Command
mdw 0 0x40000000
triggers Segmentation fault on an arm.
Size parameter is a nonsence that may happen e.g. if you
mistype mdw instead of mww.
Add checking for calloc() NULL return in mdb/h/w.
Use calloc() instead of malloc() as multiplication
count * sizeof(uint32_t) overflows for size >= 0x40000000.
Change-Id: I968c944d863d1173ef932a7077d526fccb9381ae
Signed-off-by: Tomas Vanek <vanekt@fbl.cz>
Reviewed-on: http://openocd.zylin.com/4349
Tested-by: jenkins
Reviewed-by: Matthias Welwarsky <matthias@welwarsky.de>
-rw-r--r-- | src/target/arm_adi_v5.c | 3 | ||||
-rw-r--r-- | src/target/target.c | 4 |
2 files changed, 6 insertions, 1 deletions
diff --git a/src/target/arm_adi_v5.c b/src/target/arm_adi_v5.c index a4ca9f1..aa7f4cf 100644 --- a/src/target/arm_adi_v5.c +++ b/src/target/arm_adi_v5.c @@ -479,7 +479,8 @@ static int mem_ap_read(struct adiv5_ap *ap, uint8_t *buffer, uint32_t size, uint /* Allocate buffer to hold the sequence of DRW reads that will be made. This is a significant * over-allocation if packed transfers are going to be used, but determining the real need at * this point would be messy. */ - uint32_t *read_buf = malloc(count * sizeof(uint32_t)); + uint32_t *read_buf = calloc(count, sizeof(uint32_t)); + /* Multiplication count * sizeof(uint32_t) may overflow, calloc() is safe */ uint32_t *read_ptr = read_buf; if (read_buf == NULL) { LOG_ERROR("Failed to allocate read buffer"); diff --git a/src/target/target.c b/src/target/target.c index d6781a3..52307db 100644 --- a/src/target/target.c +++ b/src/target/target.c @@ -3116,6 +3116,10 @@ COMMAND_HANDLER(handle_md_command) COMMAND_PARSE_NUMBER(uint, CMD_ARGV[1], count); uint8_t *buffer = calloc(count, size); + if (buffer == NULL) { + LOG_ERROR("Failed to allocate md read buffer"); + return ERROR_FAIL; + } struct target *target = get_current_target(CMD_CTX); int retval = fn(target, address, size, count, buffer); |