On Mon, 8 Apr 2024 at 15:18, Philippe Mathieu-Daudé <phi...@linaro.org> wrote:
>
> Prevent out-of-bound access with assertions.
>
> Signed-off-by: Philippe Mathieu-Daudé <phi...@linaro.org>
> ---
> hw/sd/sd.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/hw/sd/sd.c b/hw/sd/sd.c
> index 16d8d52a78..c081211582 100644
> --- a/hw/sd/sd.c
> +++ b/hw/sd/sd.c
> @@ -1875,6 +1875,7 @@ void sd_write_byte(SDState *sd, uint8_t value)
> sd->current_cmd, value);
> switch (sd->current_cmd) {
> case 24: /* CMD24: WRITE_SINGLE_BLOCK */
> + assert(sd->data_offset < sizeof(sd->data));
> sd->data[sd->data_offset ++] = value;
Abstract out functions
static void append_sd_data_byte(SDState *sd, uint8_t value)
{
assert(sd->data_offset < sizeof(sd->data));
sd->data[sd->data_offset++] = value;
}
static void read_sd_data_byte(SDState *sd, uint8_t value)
{
assert(sd->data_offset < sizeof(sd->sd_data));
return sd->data[sd->data_offset++];
}
(etc for read_sd_status_byte() etc) ?
(sadly I don't think there's a verb that is the equivalent
of "prepend/append" but for removing elements.)
> case 22: /* ACMD22: SEND_NUM_WR_BLOCKS */
> + assert(sd->data_offset < sizeof(sd->sd_status));
> ret = sd->data[sd->data_offset ++];
Checking against the size of a different array from
the one we're reading from.
thanks
-- PMM
