cfi_flash: Bound-check index before array access

In a while loop in cfi_flash.c the array "start" is accessed at the index
"sector" before the index variable "sector" is bounds-checked, which
might lead to accesses beyond the bounds of the array.

Swap the order of the checks in the "&&" expression, so that the
short-circuit evaluation prevents out-of-bounds array accesses.

Signed-off-by: Mario Six <mario.six@gdsys.cc>
Signed-off-by: Stefan Roese <sr@denx.de>

diff --git a/drivers/mtd/cfi_flash.c b/drivers/mtd/cfi_flash.c
index 5ba0c5fdecbba2e7525b909e2a74e36ac718045f..61c2e6379dbaa050b34a62ab12b432b88b7924fd 100644 (file)
--- a/drivers/mtd/cfi_flash.c
+++ b/drivers/mtd/cfi_flash.c
@@ -761,8 +761,8 @@ static flash_sect_t find_sector(flash_info_t *info, ulong addr)
        if (info != saved_info || sector >= info->sector_count)
                sector = 0;
 
-       while ((info->start[sector] < addr) &&
-               (sector < info->sector_count - 1))
+       while ((sector < info->sector_count - 1) &&
+               (info->start[sector] < addr))
                sector++;
        while ((info->start[sector] > addr) && (sector > 0))
                /*