On Mon, Mar 25, 2013 at 04:32:15PM +0100, Alexander Aring wrote:
> Hi,
>
> On Mon, Mar 25, 2013 at 04:15:57PM +0100, Jan Weitzel wrote:
> > There was a erase block sized (here 131072) char buf array on the stack.
> > Changed this to get the space from malloc preventing stack overflows.
> > Also fix a wrong return without clean up.
> >
> > Signed-off-by: Jan Weitzel <j.weitzel@xxxxxxxxx>
> > ---
> > commands/ubiformat.c | 22 +++++++++++++++-------
> > 1 files changed, 15 insertions(+), 7 deletions(-)
> >
> > diff --git a/commands/ubiformat.c b/commands/ubiformat.c
> > index 47941be..121816f 100644
> > --- a/commands/ubiformat.c
> > +++ b/commands/ubiformat.c
> > @@ -296,13 +296,20 @@ static int mark_bad(const struct mtd_dev_info *mtd, struct ubi_scan_info *si, in
> > static int flash_image(const struct mtd_dev_info *mtd,
> > const struct ubigen_info *ui, struct ubi_scan_info *si)
> > {
> > - int fd, img_ebs, eb, written_ebs = 0, divisor;
> > + int fd, img_ebs, eb, written_ebs = 0, divisor, ret = -1;
> > off_t st_size;
> > + char *buf = NULL;
> >
> > fd = open_file(&st_size);
> > if (fd < 0)
> > return fd;
> >
> > + buf = malloc(mtd->eb_size);
> > + if (!buf) {
> > + sys_errmsg("cannot allocate %d bytes of memory", mtd->eb_size);
> > + goto out_close;
>
> meep, out_close will call free(buf). You need to add a new label above
> free(buf);
>
ah, free is null proofed sry.
Alex
_______________________________________________
barebox mailing list
barebox@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/barebox
