From 053a763aa61a801ac2259ee87aaed4cd140557d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franck=20H=C3=89R=C3=89SON?= <franck.hereson@secad.fr>
Date: Wed, 28 Oct 2009 10:24:55 -0700
Subject: [PATCH] bugfix: stack corruption loading IHex images

The Hex parser uses a fixed number of sections.  When the
number of sections in the file is greater than that, the
stack get corrupted and a CHECKSUM ERROR is detected
which is very confusing.

This checks the number of sections read, and increases
IMAGE_MAX_SECTIONS so it works on my file.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
---
 src/target/image.c | 21 +++++++++++++++++++++
 src/target/image.h |  2 +-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/src/target/image.c b/src/target/image.c
index d51e8743b..b9e641b33 100644
--- a/src/target/image.c
+++ b/src/target/image.c
@@ -8,6 +8,9 @@
  *   Copyright (C) 2008 by Spencer Oliver                                  *
  *   spen@spen-soft.co.uk                                                  *
  *                                                                         *
+ *   Copyright (C) 2009 by Franck Hereson                                  *
+ *   franck.hereson@secad.fr                                               *
+ *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
  *   it under the terms of the GNU General Public License as published by  *
  *   the Free Software Foundation; either version 2 of the License, or     *
@@ -196,6 +199,12 @@ static int image_ihex_buffer_complete(image_t *image)
 				if (section[image->num_sections].size != 0)
 				{
 					image->num_sections++;
+					if (image->num_sections >= IMAGE_MAX_SECTIONS)
+					{
+						/* too many sections */
+						LOG_ERROR("Too many sections found in IHEX file");
+						return ERROR_IMAGE_FORMAT_ERROR;
+					}
 					section[image->num_sections].size = 0x0;
 					section[image->num_sections].flags = 0;
 					section[image->num_sections].private = &ihex->buffer[cooked_bytes];
@@ -252,6 +261,12 @@ static int image_ihex_buffer_complete(image_t *image)
 				if (section[image->num_sections].size != 0)
 				{
 					image->num_sections++;
+					if (image->num_sections >= IMAGE_MAX_SECTIONS)
+					{
+						/* too many sections */
+						LOG_ERROR("Too many sections found in IHEX file");
+						return ERROR_IMAGE_FORMAT_ERROR;
+					}
 					section[image->num_sections].size = 0x0;
 					section[image->num_sections].flags = 0;
 					section[image->num_sections].private = &ihex->buffer[cooked_bytes];
@@ -292,6 +307,12 @@ static int image_ihex_buffer_complete(image_t *image)
 				if (section[image->num_sections].size != 0)
 				{
 					image->num_sections++;
+					if (image->num_sections >= IMAGE_MAX_SECTIONS)
+					{
+						/* too many sections */
+						LOG_ERROR("Too many sections found in IHEX file");
+						return ERROR_IMAGE_FORMAT_ERROR;
+					}
 					section[image->num_sections].size = 0x0;
 					section[image->num_sections].flags = 0;
 					section[image->num_sections].private = &ihex->buffer[cooked_bytes];
diff --git a/src/target/image.h b/src/target/image.h
index d90b544a4..551524e30 100644
--- a/src/target/image.h
+++ b/src/target/image.h
@@ -33,7 +33,7 @@
 #endif
 
 #define IMAGE_MAX_ERROR_STRING		(256)
-#define IMAGE_MAX_SECTIONS			(128)
+#define IMAGE_MAX_SECTIONS			(512)
 
 #define IMAGE_MEMORY_CACHE_SIZE		(2048)
 
-- 
GitLab