Skip to content

Commit

Permalink
Fixed out-of-bounds read in JtagDevice (thanks asan)
Browse files Browse the repository at this point in the history
  • Loading branch information
@azonenberg
azonenberg committed Jul 17, 2018
1 parent 95e79eb commit 29186dd
Showing 1 changed file with 21 additions and 5 deletions.
26 changes: 21 additions & 5 deletions JtagDevice.cpp
View file
Expand Up @@ -127,7 +127,12 @@ unsigned int JtagDevice::GetIDCode()

void JtagDevice::SetIRDeferred(const unsigned char* data, int count)
{
if( (m_irlength < 32) && (0 == memcmp(data, &m_cachedIR, count)))
//ceil of bytes, but faster
int bytecount = (count >> 3);
if(count & 7)
bytecount ++;

if( (m_irlength < 32) && (0 == memcmp(data, &m_cachedIR, bytecount)))
{
//do nothing, cache hit
return;
Expand All @@ -136,7 +141,7 @@ void JtagDevice::SetIRDeferred(const unsigned char* data, int count)
else
m_iface->SetIRDeferred((int)m_pos, data, count);

memcpy(m_cachedIR, data, ceil(count / 8.0f));
memcpy(m_cachedIR, data, bytecount);
}

/**
Expand All @@ -146,14 +151,19 @@ void JtagDevice::SetIRDeferred(const unsigned char* data, int count)
*/
void JtagDevice::SetIR(const unsigned char* data, int count)
{
//ceil of bytes, but faster
int bytecount = (count >> 3);
if(count & 7)
bytecount ++;

if(count > 32)
{
throw JtagExceptionWrapper(
"Invalid IR value (too long)",
"");
}

if( (0 == memcmp(data, &m_cachedIR, count)) )
if( (0 == memcmp(data, &m_cachedIR, bytecount)) )
{
//do nothing, cache hit
return;
Expand All @@ -162,7 +172,7 @@ void JtagDevice::SetIR(const unsigned char* data, int count)
else
m_iface->SetIR((int)m_pos, data, count);

memcpy(m_cachedIR, data, ceil(count / 8.0f));
memcpy(m_cachedIR, data, bytecount);
}

/**
Expand All @@ -182,6 +192,12 @@ void JtagDevice::Commit()
*/
void JtagDevice::SetIR(const unsigned char* data, unsigned char* data_out, int count)
{
//ceil of bytes, but faster
int bytecount = (count >> 3);
if(count & 7)
bytecount ++;


if(count > 32)
{
throw JtagExceptionWrapper(
Expand All @@ -190,7 +206,7 @@ void JtagDevice::SetIR(const unsigned char* data, unsigned char* data_out, int c
}

m_iface->SetIR((int)m_pos, data, data_out, count);
memcpy(m_cachedIR, data, ceil(count / 8.0f));
memcpy(m_cachedIR, data, bytecount);
}

/**
Expand Down

0 comments on commit 29186dd

Please sign in to comment.