search

matrix-io / xc3sprog

xc3sprog is a suite of utilities for programming Xilinx FPGAs, CPLDs, and EEPROMs with the Xilinx Parallel Cable and other JTAG adapters under Linux. Used to program the FPGA of the MATRIX Creator/Voice via Raspberry Pi.
Other
119 stars 57 forks source link

Sparse IHEX files cause out of bounds memory access, segfault #39

Open Shachar opened 1 year ago

Shachar commented 1 year ago

I have an MCS file (big endian Intel HEX format). It contains 12868 bytes, but those start (via the "4" command) at address 0x200000 (2MB into the flash).

The code in the MCS parser allocates a buffer the size of the file (so, 35424 bytes), and then uses the calculated address (2MB) to index into it. This creates an out of bounds access which results in a segmentation fault.

The difference in buffer size (based on the size of the textual MCS file) vs. the data size gives some leeway, but if the offset is too big, the code is completely broken for handling files that don't have all of their data right at the beginning of the flash.

Shachar commented 1 year ago

I'm attaching the first 30 lines of the MCS file. They should be enough to see the problem happening.

:020000040020DA
:100000007F454C4601010100000000000000000097
:100010000200F300010000000080008034000000B6
:100020008C30000000000000340020000400280094
:100030000B000A0003000070003000000000000206
:10004000000000011C00000000000000040000008F
:10005000010000000100000000100000008000808E
:1000600000800080480A0000480A000005000000E7
:1000700000100000010000000020000000001080BF
:100080000000108024010000240100000400000092
:10009000001000000100000000300000000020807F
:1000A00000002080000000000000000006000000AA
:1000B0000010000000000000000000000000000030
:1000C0000000000000000000000000000000000030
:1000D0000000000000000000000000000000000020
:1000E0000000000000000000000000000000000010
:1000F0000000000000000000000000000000000000
:1001000000000000000000000000000000000000EF
:1001100000000000000000000000000000000000DF
:1001200000000000000000000000000000000000CF
:1001300000000000000000000000000000000000BF
:1001400000000000000000000000000000000000AF
:10015000000000000000000000000000000000009F
:10016000000000000000000000000000000000008F
:10017000000000000000000000000000000000007F
:10018000000000000000000000000000000000006F
:10019000000000000000000000000000000000005F
:1001A000000000000000000000000000000000004F
:1001B000000000000000000000000000000000003F
:1001C000000000000000000000000000000000002F