From: Tomas Vanek Date: Sun, 14 Jan 2018 22:33:44 +0000 (+0100) Subject: target, arm_adi_v5: catch two allocation errors X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=ff623b83fc74d40adcdfb36454393cf307d70f08;p=openocd target, arm_adi_v5: catch two allocation errors Command mdw 0 0x40000000 triggers Segmentation fault on an arm. Size parameter is a nonsence that may happen e.g. if you mistype mdw instead of mww. Add checking for calloc() NULL return in mdb/h/w. Use calloc() instead of malloc() as multiplication count * sizeof(uint32_t) overflows for size >= 0x40000000. Change-Id: I968c944d863d1173ef932a7077d526fccb9381ae Signed-off-by: Tomas Vanek Reviewed-on: http://openocd.zylin.com/4349 Tested-by: jenkins Reviewed-by: Matthias Welwarsky --- diff --git a/src/target/arm_adi_v5.c b/src/target/arm_adi_v5.c index a4ca9f12..aa7f4cf6 100644 --- a/src/target/arm_adi_v5.c +++ b/src/target/arm_adi_v5.c @@ -479,7 +479,8 @@ static int mem_ap_read(struct adiv5_ap *ap, uint8_t *buffer, uint32_t size, uint /* Allocate buffer to hold the sequence of DRW reads that will be made. This is a significant * over-allocation if packed transfers are going to be used, but determining the real need at * this point would be messy. */ - uint32_t *read_buf = malloc(count * sizeof(uint32_t)); + uint32_t *read_buf = calloc(count, sizeof(uint32_t)); + /* Multiplication count * sizeof(uint32_t) may overflow, calloc() is safe */ uint32_t *read_ptr = read_buf; if (read_buf == NULL) { LOG_ERROR("Failed to allocate read buffer"); diff --git a/src/target/target.c b/src/target/target.c index d6781a3c..52307dbf 100644 --- a/src/target/target.c +++ b/src/target/target.c @@ -3116,6 +3116,10 @@ COMMAND_HANDLER(handle_md_command) COMMAND_PARSE_NUMBER(uint, CMD_ARGV[1], count); uint8_t *buffer = calloc(count, size); + if (buffer == NULL) { + LOG_ERROR("Failed to allocate md read buffer"); + return ERROR_FAIL; + } struct target *target = get_current_target(CMD_CTX); int retval = fn(target, address, size, count, buffer);