target, arm_adi_v5: catch two allocation errors
Command mdw 0 0x40000000 triggers Segmentation fault on an arm. Size parameter is a nonsence that may happen e.g. if you mistype mdw instead of mww. Add checking for calloc() NULL return in mdb/h/w. Use calloc() instead of malloc() as multiplication count * sizeof(uint32_t) overflows for size >= 0x40000000. Change-Id: I968c944d863d1173ef932a7077d526fccb9381ae Signed-off-by: Tomas Vanek <vanekt@fbl.cz> Reviewed-on: http://openocd.zylin.com/4349 Tested-by: jenkins Reviewed-by: Matthias Welwarsky <matthias@welwarsky.de>
This commit is contained in:
parent
edb6796286
commit
ff623b83fc
|
@ -479,7 +479,8 @@ static int mem_ap_read(struct adiv5_ap *ap, uint8_t *buffer, uint32_t size, uint
|
||||||
/* Allocate buffer to hold the sequence of DRW reads that will be made. This is a significant
|
/* Allocate buffer to hold the sequence of DRW reads that will be made. This is a significant
|
||||||
* over-allocation if packed transfers are going to be used, but determining the real need at
|
* over-allocation if packed transfers are going to be used, but determining the real need at
|
||||||
* this point would be messy. */
|
* this point would be messy. */
|
||||||
uint32_t *read_buf = malloc(count * sizeof(uint32_t));
|
uint32_t *read_buf = calloc(count, sizeof(uint32_t));
|
||||||
|
/* Multiplication count * sizeof(uint32_t) may overflow, calloc() is safe */
|
||||||
uint32_t *read_ptr = read_buf;
|
uint32_t *read_ptr = read_buf;
|
||||||
if (read_buf == NULL) {
|
if (read_buf == NULL) {
|
||||||
LOG_ERROR("Failed to allocate read buffer");
|
LOG_ERROR("Failed to allocate read buffer");
|
||||||
|
|
|
@ -3116,6 +3116,10 @@ COMMAND_HANDLER(handle_md_command)
|
||||||
COMMAND_PARSE_NUMBER(uint, CMD_ARGV[1], count);
|
COMMAND_PARSE_NUMBER(uint, CMD_ARGV[1], count);
|
||||||
|
|
||||||
uint8_t *buffer = calloc(count, size);
|
uint8_t *buffer = calloc(count, size);
|
||||||
|
if (buffer == NULL) {
|
||||||
|
LOG_ERROR("Failed to allocate md read buffer");
|
||||||
|
return ERROR_FAIL;
|
||||||
|
}
|
||||||
|
|
||||||
struct target *target = get_current_target(CMD_CTX);
|
struct target *target = get_current_target(CMD_CTX);
|
||||||
int retval = fn(target, address, size, count, buffer);
|
int retval = fn(target, address, size, count, buffer);
|
||||||
|
|
Loading…
Reference in New Issue