[U-Boot] [PATCH] ppc: ppmc7xx: Fix possible out-of-bound access

[Wolfgang Denk]

Dear Marek Vasut,

In message <1369018900-11198-1-git-send-email-marex at denx.de> you wrote:
> The flash_info_t->start[] field is limited in size by CONFIG_SYS_MAX_FLASH_SECT
> macro, which is set to 19 for this board in the board config file. If we inspect
> the board/ppmc7xx/flash.c closely, especially the flash_get_size() function, we
> can notice the "switch ((long)flashtest)" at around line 80 having a few results
> which will set flash_info_t->sector_count to value higher than 19, for example
> "case AMD_ID_LV640U" will set it to 128. Notice that right underneath, iteration
> over flash_info_t->start[] happens and the upper bound for the interation is
> flash_info_t->sector_count. Now if the sector_count is 128 as it is for the
> AMD_ID_LV640U case, but the CONFIG_SYS_MAX_FLASH_SECT limiting the start[] is
> only 19, an access past the start[] array much happen. Moreover, during this
> iteration, the field is written to, so memory corruption is inevitable.
> 
> Signed-off-by: Marek Vasut <marex at denx.de>
> Cc: Wolfgang Denk <wd at denx.de>
> Cc: Tom Rini <trini at ti.com>
> Cc: Richard Danter <richard.danter at windriver.com>
> ---
>  include/configs/ppmc7xx.h |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied, thanks.

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,     MD: Wolfgang Denk & Detlev Zundel
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
You could end up being oddly sad and full of a strange, diffuse  com-
passion  which would lead you to believe that it might be a good idea
to wipe out the whole human race and start again with amoebas.
                                 - Terry Pratchett, _Guards! Guards!_