Werner Zeh has submitted this change. ( https://review.coreboot.org/c/coreboot/+/55763 )
Change subject: cbfstool: Make use of spurious null-termination ......................................................................
cbfstool: Make use of spurious null-termination
The null-termination of `filetypes` was added after the code was written, obviously resulting in NULL dereferences. As some more code has grown around the termination, it's hard to revert the regression, so let's update the code that still used the array length.
This fixes commit 7f5f9331d1 (util/cbfstool: fix buffer over-read) which actually did fix something, but only one path while it broke two others. We should be careful with fixes, they can always break something else. Especially when a dumb tool triggered the patching it seems likely that fewer people looked into related code.
Change-Id: If2ece1f5ad62952ed2e57769702e318ba5468f0c Signed-off-by: Nico Huber nico.huber@secunet.com Reviewed-on: https://review.coreboot.org/c/coreboot/+/55763 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Julius Werner jwerner@chromium.org --- M util/cbfstool/common.c 1 file changed, 4 insertions(+), 4 deletions(-)
Approvals: build bot (Jenkins): Verified Julius Werner: Looks good to me, approved
diff --git a/util/cbfstool/common.c b/util/cbfstool/common.c index e2ed38f..539d0ba 100644 --- a/util/cbfstool/common.c +++ b/util/cbfstool/common.c @@ -168,10 +168,10 @@
void print_supported_filetypes(void) { - int i, number = ARRAY_SIZE(filetypes); + int i;
- for (i=0; i<number; i++) { - printf(" %s%c", filetypes[i].name, (i==(number-1))?'\n':','); + for (i=0; filetypes[i].name; i++) { + printf(" %s%c", filetypes[i].name, filetypes[i + 1].name ? ',' : '\n'); if ((i%8) == 7) printf("\n"); } @@ -180,7 +180,7 @@ uint64_t intfiletype(const char *name) { size_t i; - for (i = 0; i < (sizeof(filetypes) / sizeof(struct typedesc_t)); i++) + for (i = 0; filetypes[i].name; i++) if (strcmp(filetypes[i].name, name) == 0) return filetypes[i].type; return -1;