From: Paul Fertser Date: Tue, 11 Aug 2015 22:03:02 +0000 (+0300) Subject: svf: fix segfaults exposed by some SVF X-Git-Tag: v0.10.0-rc1~448 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=874f0157eb01f8486b8e739244b4429a92a8182e;p=openocd svf: fix segfaults exposed by some SVF The problem was reported by jstefanop on IRC, the SVF was generated with Xilinx ISE 14.7. Found and investigated with Valgrind's vgdb service. Change-Id: I32b0e77e0380ce4a391661f97449f9c2a5f83625 Signed-off-by: Paul Fertser Reviewed-on: http://openocd.zylin.com/2933 Tested-by: jenkins --- diff --git a/src/svf/svf.c b/src/svf/svf.c index 15198d9b..a90ccd15 100644 --- a/src/svf/svf.c +++ b/src/svf/svf.c @@ -259,7 +259,7 @@ static void svf_hexbuf_print(int dbg_lvl, const char *file, unsigned line, int msbits = bit_len % 8; /* allocate 2 bytes per hex digit */ - char *prbuf = malloc((byte_len * 2) + 1); + char *prbuf = malloc((byte_len * 2) + 2 + 1); if (!prbuf) return; @@ -1034,6 +1034,19 @@ XXR_common: } i_tmp = xxr_para_tmp->len; xxr_para_tmp->len = atoi(argus[1]); + /* If we are to enlarge the buffers, all parts of xxr_para_tmp + * need to be freed */ + if (i_tmp < xxr_para_tmp->len) { + free(xxr_para_tmp->tdi); + xxr_para_tmp->tdi = NULL; + free(xxr_para_tmp->tdo); + xxr_para_tmp->tdo = NULL; + free(xxr_para_tmp->mask); + xxr_para_tmp->mask = NULL; + free(xxr_para_tmp->smask); + xxr_para_tmp->smask = NULL; + } + LOG_DEBUG("\tlength = %d", xxr_para_tmp->len); xxr_para_tmp->data_mask = 0; for (i = 2; i < num_of_argu; i += 2) {