This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Main OpenOCD repository".
The branch, master has been updated
via 179169268ca1bbac092324f597fbea090d75355e (commit)
from 33573cda4aa5685b32c44a81b1f2d84a28d78810 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 179169268ca1bbac092324f597fbea090d75355e
Author: SydMontague <syd...@ph...>
Date: Fri Feb 2 12:12:48 2024 +0100
jtag/commands: fixed buffer overflow
When performing a command queue allocation larger than the default page
size of 1MiB any subsequent allocations will run into an integer under-
flow when checking for the remaining memory left in the current page.
Causing the function returning a pointer past the end of the buffer and
thus creating a buffer overflow.
This has been observed to cause some transfers to Efinix FPGAs to fail,
because another buffer can get corrupted in the process, causing its
respective free() to fail.
Change-Id: Ic5a0e1774e2dbd58f1a05127f14816c8251a7d9c
Signed-off-by: SydMontague <syd...@ph...>
Reviewed-on: https://review.openocd.org/c/openocd/+/8126
Reviewed-by: Tomas Vanek <va...@fb...>
Reviewed-by: Antonio Borneo <bor...@gm...>
Tested-by: jenkins
diff --git a/src/jtag/commands.c b/src/jtag/commands.c
index c36c21923..a60684c88 100644
--- a/src/jtag/commands.c
+++ b/src/jtag/commands.c
@@ -103,7 +103,7 @@ void *cmd_queue_alloc(size_t size)
if (*p_page) {
p_page = &cmd_queue_pages_tail;
- if (CMD_QUEUE_PAGE_SIZE - (*p_page)->used < size)
+ if (CMD_QUEUE_PAGE_SIZE < (*p_page)->used + size)
p_page = &((*p_page)->next);
}
-----------------------------------------------------------------------
Summary of changes:
src/jtag/commands.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
hooks/post-receive
--
Main OpenOCD repository
|
