ft2232_spi.c: Improve handling of static buffer
If `buf` became NULL because of an error, subsequent calls to the
`ft2232_spi_send_command` function with a smaller buffer size will
result in a null pointer dereference. Add an additional null check
before using `buf` to prevent that. Moreover, use `size_t` for the
`bufsize` and `oldbufsize` variables, as it's what `realloc` uses.
Change-Id: Idc4237ddca94c42ce2a930e6d00fd2d14e4f125c
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Original-Reviewed-on: https://review.coreboot.org/c/flashrom/+/39975
Original-Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Original-Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Reviewed-on: https://review.coreboot.org/c/flashrom-stable/+/71308
Reviewed-by: Nico Huber <nico.h@gmx.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
diff --git a/ft2232_spi.c b/ft2232_spi.c
index ee19eef..5e9c61d 100644
--- a/ft2232_spi.c
+++ b/ft2232_spi.c
@@ -456,8 +456,8 @@
static unsigned char *buf = NULL;
/* failed is special. We use bitwise ops, but it is essentially bool. */
int i = 0, ret = 0, failed = 0;
- int bufsize;
- static int oldbufsize = 0;
+ size_t bufsize;
+ static size_t oldbufsize = 0;
if (writecnt > 65536 || readcnt > 65536)
return SPI_INVALID_LENGTH;
@@ -465,7 +465,7 @@
/* buf is not used for the response from the chip. */
bufsize = max(writecnt + 9, 260 + 9);
/* Never shrink. realloc() calls are expensive. */
- if (bufsize > oldbufsize) {
+ if (!buf || bufsize > oldbufsize) {
buf = realloc(buf, bufsize);
if (!buf) {
msg_perr("Out of memory!\n");