From 92d826ac57e753da120a82cded354931b3fe8e76 Mon Sep 17 00:00:00 2001
From: Brandon Maier <brandon.maier@collins.com>
Date: Wed, 2 Nov 2022 17:47:55 -0500
Subject: misc-utils: flashcp: fix buffer overflow

The DIFF_BLOCKS code requires that src and dest buffers be large enough
to hold one MTD erasesize. This is because each loop operates on one
eraseblock so that it can erase and write one whole sector. But the src
and dest buffers are fixed at BUFSIZE, so on platforms where the MTD
erasesize are larger then BUFSIZE it will overflow the buffers.

Instead allocate the buffers dynamically so that they can be sized to
fit the erasesize.

Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
---
 misc-utils/flashcp.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/misc-utils/flashcp.c b/misc-utils/flashcp.c
index 9e92fa2..1dc0877 100644
--- a/misc-utils/flashcp.c
+++ b/misc-utils/flashcp.c
@@ -57,9 +57,6 @@
 #define KB(x) ((x) / 1024)
 #define PERCENTAGE(x,total) (((x) * 100) / (total))
 
-/* size of read/write buffer */
-#define BUFSIZE (10 * 1024)
-
 /* cmd-line flags */
 #define FLAG_NONE		0x00
 #define FLAG_HELP		0x02
@@ -222,7 +219,7 @@ int main (int argc,char *argv[])
 	struct mtd_info_user mtd;
 	struct erase_info_user erase;
 	struct stat filestat;
-	unsigned char src[BUFSIZE],dest[BUFSIZE];
+	unsigned char *src,*dest;
 
 	/*********************
 	 * parse cmd-line
@@ -304,6 +301,14 @@ int main (int argc,char *argv[])
 	if (filestat.st_size > mtd.size)
 		log_failure("%s won't fit into %s!\n",filename,device);
 
+	src = malloc(mtd.erasesize);
+	if (!src)
+		log_failure("Malloc failed");
+
+	dest = malloc(mtd.erasesize);
+	if (!dest)
+		log_failure("Malloc failed");
+
 	/* diff block flashcp */
 	if (flags & FLAG_PARTITION)
 	{
@@ -355,11 +360,11 @@ int main (int argc,char *argv[])
 
 	log_verbose ("Writing data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size));
 	size = filestat.st_size;
-	i = BUFSIZE;
+	i = mtd.erasesize;
 	written = 0;
 	while (size)
 	{
-		if (size < BUFSIZE) i = size;
+		if (size < mtd.erasesize) i = size;
 		log_verbose ("\rWriting data: %dk/%lluk (%llu%%)",
 				KB (written + i),
 				KB ((unsigned long long)filestat.st_size),
@@ -386,12 +391,12 @@ int main (int argc,char *argv[])
 	safe_rewind (fil_fd,filename);
 	safe_rewind (dev_fd,device);
 	size = filestat.st_size;
-	i = BUFSIZE;
+	i = mtd.erasesize;
 	written = 0;
 	log_verbose ("Verifying data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size));
 	while (size)
 	{
-		if (size < BUFSIZE) i = size;
+		if (size < mtd.erasesize) i = size;
 		log_verbose ("\rVerifying data: %luk/%lluk (%llu%%)",
 				KB (written + i),
 				KB ((unsigned long long)filestat.st_size),
-- 
cgit v1.2.3