diff options
author | Mario Six <mario.six@gdsys.cc> | 2018-01-26 14:43:53 +0100 |
---|---|---|
committer | Stefan Roese <sr@denx.de> | 2018-01-29 07:48:59 +0100 |
commit | 5701ba82894d679eb42df5d0b93a2d44b3df695d (patch) | |
tree | f9da3e31926758b9b6416388077a31fd56615212 | |
parent | 9dbaebcf9f401c5dcea762e34a3dc8ed10760623 (diff) |
cfi_flash: Bound-check index before array access
In a while loop in cfi_flash.c the array "start" is accessed at the index
"sector" before the index variable "sector" is bounds-checked, which
might lead to accesses beyond the bounds of the array.
Swap the order of the checks in the "&&" expression, so that the
short-circuit evaluation prevents out-of-bounds array accesses.
Signed-off-by: Mario Six <mario.six@gdsys.cc>
Signed-off-by: Stefan Roese <sr@denx.de>
-rw-r--r-- | drivers/mtd/cfi_flash.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/mtd/cfi_flash.c b/drivers/mtd/cfi_flash.c index 5ba0c5fdecb..61c2e6379db 100644 --- a/drivers/mtd/cfi_flash.c +++ b/drivers/mtd/cfi_flash.c @@ -761,8 +761,8 @@ static flash_sect_t find_sector(flash_info_t *info, ulong addr) if (info != saved_info || sector >= info->sector_count) sector = 0; - while ((info->start[sector] < addr) && - (sector < info->sector_count - 1)) + while ((sector < info->sector_count - 1) && + (info->start[sector] < addr)) sector++; while ((info->start[sector] > addr) && (sector > 0)) /* |