From 8edeec2bd76e9158be0bc17cb0ec0f82425ee7f5 Mon Sep 17 00:00:00 2001 From: Kevin Thomas Date: Sat, 9 May 2026 16:40:32 -0400 Subject: [PATCH] Fix flash bounds check --- drivers/0x0f_flash/flash.c | 12 ++++++++++++ drivers/0x0f_flash/flash.h | 15 +++++++++------ drivers/0x0f_flash_cbm/Inc/rp2350_flash.h | 19 +++++++++++++------ drivers/0x0f_flash_cbm/Src/rp2350_flash.c | 8 ++++++++ 4 files changed, 42 insertions(+), 12 deletions(-) diff --git a/drivers/0x0f_flash/flash.c b/drivers/0x0f_flash/flash.c index ad010cb..48f7e46 100644 --- a/drivers/0x0f_flash/flash.c +++ b/drivers/0x0f_flash/flash.c @@ -34,6 +34,12 @@ #include "pico/stdlib.h" void flash_driver_write(uint32_t flash_offset, const uint8_t *data, uint32_t len) { + if (data == NULL || flash_offset >= FLASH_DRIVER_SIZE_BYTES) { + return; + } + if (len > FLASH_DRIVER_SIZE_BYTES - flash_offset) { + len = FLASH_DRIVER_SIZE_BYTES - flash_offset; + } uint32_t ints = save_and_disable_interrupts(); flash_range_erase(flash_offset, FLASH_SECTOR_SIZE); flash_range_program(flash_offset, data, len); @@ -41,6 +47,12 @@ void flash_driver_write(uint32_t flash_offset, const uint8_t *data, uint32_t len } void flash_driver_read(uint32_t flash_offset, uint8_t *out, uint32_t len) { + if (out == NULL || flash_offset >= FLASH_DRIVER_SIZE_BYTES) { + return; + } + if (len > FLASH_DRIVER_SIZE_BYTES - flash_offset) { + len = FLASH_DRIVER_SIZE_BYTES - flash_offset; + } const uint8_t *flash_target_contents = (const uint8_t *)(XIP_BASE + flash_offset); memcpy(out, flash_target_contents, len); } diff --git a/drivers/0x0f_flash/flash.h b/drivers/0x0f_flash/flash.h index cd251d8..aec8385 100644 --- a/drivers/0x0f_flash/flash.h +++ b/drivers/0x0f_flash/flash.h @@ -44,13 +44,15 @@ * @brief Erase one 4096-byte sector and write data to on-chip flash * * The target address must be aligned to a 4096-byte sector boundary. - * The function disables interrupts, erases the containing sector, - * programs up to @p len bytes from @p data, and re-enables interrupts. The + * The function guards against NULL @p data and out-of-range @p flash_offset, + * returning immediately if either is invalid. If @p len would exceed the + * flash boundary it is clamped to the remaining space. Interrupts are + * disabled for the erase+program sequence and re-enabled on return. The * write length must be a multiple of FLASH_DRIVER_PAGE_SIZE (256 bytes); * pad with 0xFF if necessary. * * @param flash_offset Byte offset from the start of flash (must be sector-aligned) - * @param data Pointer to the data buffer to write + * @param data Pointer to the data buffer to write (must not be NULL) * @param len Number of bytes to write (multiple of FLASH_DRIVER_PAGE_SIZE) */ void flash_driver_write(uint32_t flash_offset, const uint8_t *data, uint32_t len); @@ -59,11 +61,12 @@ void flash_driver_write(uint32_t flash_offset, const uint8_t *data, uint32_t len * @brief Read bytes from on-chip flash via the XIP memory map * * Flash is memory-mapped starting at XIP_BASE (0x10000000). This function - * copies @p len bytes beginning at @p flash_offset into @p out using the - * XIP read path, which is always available without erasing. + * guards against NULL @p out and out-of-range @p flash_offset, returning + * immediately if either is invalid. If @p len would exceed the flash + * boundary it is clamped to the remaining space before the memcpy. * * @param flash_offset Byte offset from the start of flash - * @param out Pointer to the destination buffer (must be @p len bytes) + * @param out Pointer to the destination buffer (must not be NULL) * @param len Number of bytes to read */ void flash_driver_read(uint32_t flash_offset, uint8_t *out, uint32_t len); diff --git a/drivers/0x0f_flash_cbm/Inc/rp2350_flash.h b/drivers/0x0f_flash_cbm/Inc/rp2350_flash.h index 0c5eb09..a00f5ea 100644 --- a/drivers/0x0f_flash_cbm/Inc/rp2350_flash.h +++ b/drivers/0x0f_flash_cbm/Inc/rp2350_flash.h @@ -38,13 +38,15 @@ /** * @brief Erase the containing sector(s) and program data to flash. * - * The data buffer must reside in RAM (not flash). Interrupts - * are disabled for the duration of the erase/program cycle. - * The write length must be a multiple of FLASH_PAGE_SIZE - * (256 bytes); pad with 0xFF if necessary. + * The data buffer must reside in RAM (not flash). Guards against + * NULL @p data and out-of-range @p offset, returning immediately + * if either is invalid. If @p len would exceed the flash boundary + * it is clamped to the remaining space. Interrupts are disabled + * for the erase/program cycle. The write length must be a multiple + * of FLASH_PAGE_SIZE (256 bytes); pad with 0xFF if necessary. * * @param offset byte offset from the start of flash (sector-aligned) - * @param data pointer to the source buffer in RAM + * @param data pointer to the source buffer in RAM (must not be NULL) * @param len number of bytes to write * @retval None */ @@ -52,8 +54,13 @@ void flash_write(uint32_t offset, const uint8_t *data, uint32_t len); /** * @brief Read bytes from on-chip flash via the XIP memory map. + * + * Guards against NULL @p out and out-of-range @p offset, returning + * immediately if either is invalid. If @p len would exceed the flash + * boundary it is clamped to the remaining space before the read. + * * @param offset byte offset from the start of flash - * @param out pointer to the destination buffer + * @param out pointer to the destination buffer (must not be NULL) * @param len number of bytes to read * @retval None */ diff --git a/drivers/0x0f_flash_cbm/Src/rp2350_flash.c b/drivers/0x0f_flash_cbm/Src/rp2350_flash.c index 660bdf3..1007130 100644 --- a/drivers/0x0f_flash_cbm/Src/rp2350_flash.c +++ b/drivers/0x0f_flash_cbm/Src/rp2350_flash.c @@ -123,6 +123,10 @@ static void flash_erase_program_ram(const FlashRomFns *fns, uint32_t offset, void flash_write(uint32_t offset, const uint8_t *data, uint32_t len) { + if (data == NULL || offset >= FLASH_SIZE) + return; + if (len > FLASH_SIZE - offset) + len = FLASH_SIZE - offset; FlashRomFns fns; lookup_rom_fns(&fns); uint32_t primask; @@ -134,6 +138,10 @@ void flash_write(uint32_t offset, const uint8_t *data, uint32_t len) void flash_read(uint32_t offset, uint8_t *out, uint32_t len) { + if (out == NULL || offset >= FLASH_SIZE) + return; + if (len > FLASH_SIZE - offset) + len = FLASH_SIZE - offset; const uint8_t *src = (const uint8_t *)(XIP_BASE + offset); for (uint32_t i = 0; i < len; i++) out[i] = src[i];