ft2232_spi.c: Improve handling of static buffer

If `buf` became NULL because of an error, subsequent calls to the `ft2232_spi_send_command` function with a smaller buffer size will result in a null pointer dereference. Add an additional null check before using `buf` to prevent that. Moreover, use `size_t` for the `bufsize` and `oldbufsize` variables, as it's what `realloc` uses. Change-Id: Idc4237ddca94c42ce2a930e6d00fd2d14e4f125c Signed-off-by: Angel Pons <th3fanbus@gmail.com> Reviewed-on: https://review.coreboot.org/c/flashrom/+/39975 Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr> Reviewed-by: Edward O'Callaghan <quasisec@chromium.org> Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
2025-04-27 15:12:36 +02:00 · 2020-03-31 15:34:35 +02:00 · 2020-03-31 15:34:35 +02:00 · e0272e2b6f
commit e0272e2b6f
parent 2ee489d7ef
1 changed files with 3 additions and 3 deletions
--- a/ft2232_spi.c
+++ b/ft2232_spi.c
@ -468,8 +468,8 @@ static int ft2232_spi_send_command(struct flashctx *flash,
 	static unsigned char *buf = NULL;
 	/* failed is special. We use bitwise ops, but it is essentially bool. */
 	int i = 0, ret = 0, failed = 0;
-	int bufsize;
-	static int oldbufsize = 0;
+	size_t bufsize;
+	static size_t oldbufsize = 0;

 	if (writecnt > 65536 || readcnt > 65536)
 		return SPI_INVALID_LENGTH;
@ -477,7 +477,7 @@ static int ft2232_spi_send_command(struct flashctx *flash,
 	/* buf is not used for the response from the chip. */
 	bufsize = max(writecnt + 9, 260 + 9);
 	/* Never shrink. realloc() calls are expensive. */
-	if (bufsize > oldbufsize) {
+	if (!buf || bufsize > oldbufsize) {
 		buf = realloc(buf, bufsize);
 		if (!buf) {
 			msg_perr("Out of memory!\n");