From e0272e2b6f8860152d0edf72263a80426fd7d5e3 Mon Sep 17 00:00:00 2001
From: Angel Pons <th3fanbus@gmail.com>
Date: Tue, 31 Mar 2020 15:34:35 +0200
Subject: ft2232_spi.c: Improve handling of static buffer

If `buf` became NULL because of an error, subsequent calls to the
`ft2232_spi_send_command` function with a smaller buffer size will
result in a null pointer dereference. Add an additional null check
before using `buf` to prevent that. Moreover, use `size_t` for the
`bufsize` and `oldbufsize` variables, as it's what `realloc` uses.

Change-Id: Idc4237ddca94c42ce2a930e6d00fd2d14e4f125c
Signed-off-by: Angel Pons <th3fanbus@gmail.com>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/39975
Reviewed-by: HAOUAS Elyes <ehaouas@noos.fr>
Reviewed-by: Edward O'Callaghan <quasisec@chromium.org>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
---
 ft2232_spi.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ft2232_spi.c b/ft2232_spi.c
index 520eb6e17..9f4c7f033 100644
--- a/ft2232_spi.c
+++ b/ft2232_spi.c
@@ -468,8 +468,8 @@ static int ft2232_spi_send_command(struct flashctx *flash,
 	static unsigned char *buf = NULL;
 	/* failed is special. We use bitwise ops, but it is essentially bool. */
 	int i = 0, ret = 0, failed = 0;
-	int bufsize;
-	static int oldbufsize = 0;
+	size_t bufsize;
+	static size_t oldbufsize = 0;
 
 	if (writecnt > 65536 || readcnt > 65536)
 		return SPI_INVALID_LENGTH;
@@ -477,7 +477,7 @@ static int ft2232_spi_send_command(struct flashctx *flash,
 	/* buf is not used for the response from the chip. */
 	bufsize = max(writecnt + 9, 260 + 9);
 	/* Never shrink. realloc() calls are expensive. */
-	if (bufsize > oldbufsize) {
+	if (!buf || bufsize > oldbufsize) {
 		buf = realloc(buf, bufsize);
 		if (!buf) {
 			msg_perr("Out of memory!\n");
-- 
cgit v1.2.3