bugfix: stack corruption loading IHex images

The Hex parser uses a fixed number of sections.  When the
number of sections in the file is greater than that, the
stack get corrupted and a CHECKSUM ERROR is detected
which is very confusing.

This checks the number of sections read, and increases
IMAGE_MAX_SECTIONS so it works on my file.

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>

diff --git a/src/target/image.c b/src/target/image.c
index d51e8743b23ba5f6c5b11c6972ae6bad9083800c..b9e641b331217bbc41a4d35f5af1f0c9d319bd58 100644 (file)
--- a/src/target/image.c
+++ b/src/target/image.c
@@ -8,6 +8,9 @@
  *   Copyright (C) 2008 by Spencer Oliver                                  *
  *   spen@spen-soft.co.uk                                                  *
  *                                                                         *
+ *   Copyright (C) 2009 by Franck Hereson                                  *
+ *   franck.hereson@secad.fr                                               *
+ *                                                                         *
  *   This program is free software; you can redistribute it and/or modify  *
  *   it under the terms of the GNU General Public License as published by  *
  *   the Free Software Foundation; either version 2 of the License, or     *
@@ -196,6 +199,12 @@ static int image_ihex_buffer_complete(image_t *image)
                                if (section[image->num_sections].size != 0)
                                {
                                        image->num_sections++;
+                                       if (image->num_sections >= IMAGE_MAX_SECTIONS)
+                                       {
+                                               /* too many sections */
+                                               LOG_ERROR("Too many sections found in IHEX file");
+                                               return ERROR_IMAGE_FORMAT_ERROR;
+                                       }
                                        section[image->num_sections].size = 0x0;
                                        section[image->num_sections].flags = 0;
                                        section[image->num_sections].private = &ihex->buffer[cooked_bytes];
@@ -252,6 +261,12 @@ static int image_ihex_buffer_complete(image_t *image)
                                if (section[image->num_sections].size != 0)
                                {
                                        image->num_sections++;
+                                       if (image->num_sections >= IMAGE_MAX_SECTIONS)
+                                       {
+                                               /* too many sections */
+                                               LOG_ERROR("Too many sections found in IHEX file");
+                                               return ERROR_IMAGE_FORMAT_ERROR;
+                                       }
                                        section[image->num_sections].size = 0x0;
                                        section[image->num_sections].flags = 0;
                                        section[image->num_sections].private = &ihex->buffer[cooked_bytes];
@@ -292,6 +307,12 @@ static int image_ihex_buffer_complete(image_t *image)
                                if (section[image->num_sections].size != 0)
                                {
                                        image->num_sections++;
+                                       if (image->num_sections >= IMAGE_MAX_SECTIONS)
+                                       {
+                                               /* too many sections */
+                                               LOG_ERROR("Too many sections found in IHEX file");
+                                               return ERROR_IMAGE_FORMAT_ERROR;
+                                       }
                                        section[image->num_sections].size = 0x0;
                                        section[image->num_sections].flags = 0;
                                        section[image->num_sections].private = &ihex->buffer[cooked_bytes];

diff --git a/src/target/image.h b/src/target/image.h
index d90b544a449929b8dd3a52d9d8ad4ff6dc68e209..551524e306292aaafba5a0e7a97fec6d988c2e1e 100644 (file)
--- a/src/target/image.h
+++ b/src/target/image.h
@@ -33,7 +33,7 @@
 #endif
 
 #define IMAGE_MAX_ERROR_STRING         (256)
-#define IMAGE_MAX_SECTIONS                     (128)
+#define IMAGE_MAX_SECTIONS                     (512)
 
 #define IMAGE_MEMORY_CACHE_SIZE                (2048)