cfi_flash: Bound-check index before array access

In a while loop in cfi_flash.c the array "start" is accessed at the index "sector" before the index variable "sector" is bounds-checked, which might lead to accesses beyond the bounds of the array. Swap the order of the checks in the "&&" expression, so that the short-circuit evaluation prevents out-of-bounds array accesses. Signed-off-by: Mario Six <mario.six@gdsys.cc> Signed-off-by: Stefan Roese <sr@denx.de>

cfi_flash: Bound-check index before array access
In a while loop in cfi_flash.c the array "start" is accessed at the index "sector" before the index variable "sector" is bounds-checked, which might lead to accesses beyond the bounds of the array. Swap the order of the checks in the "&&" expression, so that the short-circuit evaluation prevents out-of-bounds array accesses. Signed-off-by: Mario Six <mario.six@gdsys.cc> Signed-off-by: Stefan Roese <sr@denx.de>
Mario Six · Stefan Roese
1 parent 9dbaebcf9f
Showing 1 changed file with 2 additions and 2 deletions Side-by-side Diff
drivers/mtd/cfi_flash.c
@@ -761,8 +761,8 @@
 	if (info != saved_info || sector >= info->sector_count)
 		sector = 0;
  
-	while ((info->start[sector] < addr) &&
-		(sector < info->sector_count - 1))
+	while ((sector < info->sector_count - 1) &&
+		(info->start[sector] < addr))
 		sector++;
 	while ((info->start[sector] > addr) && (sector > 0))
 		/*
...	...	@@ -761,8 +761,8 @@
761	761	if (info != saved_info \|\| sector >= info->sector_count)
762	762	sector = 0;
763	763
764		- while ((info->start[sector] < addr) &&
765		- (sector < info->sector_count - 1))
	764	+ while ((sector < info->sector_count - 1) &&
	765	+ (info->start[sector] < addr))
766	766	sector++;
767	767	while ((info->start[sector] > addr) && (sector > 0))
768	768	/*