Fix flash bounds check

drivers/0x0f_flash/flash.c

@@ -34,6 +34,12 @@
 #include "pico/stdlib.h"
 
 void flash_driver_write(uint32_t flash_offset, const uint8_t *data, uint32_t len) {
+    if (data == NULL || flash_offset >= FLASH_DRIVER_SIZE_BYTES) {
+        return;
+    }
+    if (len > FLASH_DRIVER_SIZE_BYTES - flash_offset) {
+        len = FLASH_DRIVER_SIZE_BYTES - flash_offset;
+    }
     uint32_t ints = save_and_disable_interrupts();
     flash_range_erase(flash_offset, FLASH_SECTOR_SIZE);
     flash_range_program(flash_offset, data, len);
@@ -41,6 +47,12 @@ void flash_driver_write(uint32_t flash_offset, const uint8_t *data, uint32_t len
 }
 
 void flash_driver_read(uint32_t flash_offset, uint8_t *out, uint32_t len) {
+    if (out == NULL || flash_offset >= FLASH_DRIVER_SIZE_BYTES) {
+        return;
+    }
+    if (len > FLASH_DRIVER_SIZE_BYTES - flash_offset) {
+        len = FLASH_DRIVER_SIZE_BYTES - flash_offset;
+    }
     const uint8_t *flash_target_contents = (const uint8_t *)(XIP_BASE + flash_offset);
     memcpy(out, flash_target_contents, len);
 }

drivers/0x0f_flash/flash.h

@@ -44,13 +44,15 @@
  * @brief Erase one 4096-byte sector and write data to on-chip flash
  *
  * The target address must be aligned to a 4096-byte sector boundary.
- * The function disables interrupts, erases the containing sector,
+ * The function guards against NULL @p data and out-of-range @p flash_offset,
- * programs up to @p len bytes from @p data, and re-enables interrupts. The
+ * returning immediately if either is invalid. If @p len would exceed the
+ * flash boundary it is clamped to the remaining space. Interrupts are
+ * disabled for the erase+program sequence and re-enabled on return. The
  * write length must be a multiple of FLASH_DRIVER_PAGE_SIZE (256 bytes);
  * pad with 0xFF if necessary.
  *
  * @param flash_offset Byte offset from the start of flash (must be sector-aligned)
- * @param data         Pointer to the data buffer to write
+ * @param data         Pointer to the data buffer to write (must not be NULL)
  * @param len          Number of bytes to write (multiple of FLASH_DRIVER_PAGE_SIZE)
  */
 void flash_driver_write(uint32_t flash_offset, const uint8_t *data, uint32_t len);
@@ -59,11 +61,12 @@ void flash_driver_write(uint32_t flash_offset, const uint8_t *data, uint32_t len
  * @brief Read bytes from on-chip flash via the XIP memory map
  *
  * Flash is memory-mapped starting at XIP_BASE (0x10000000). This function
- * copies @p len bytes beginning at @p flash_offset into @p out using the
+ * guards against NULL @p out and out-of-range @p flash_offset, returning
- * XIP read path, which is always available without erasing.
+ * immediately if either is invalid. If @p len would exceed the flash
+ * boundary it is clamped to the remaining space before the memcpy.
  *
  * @param flash_offset Byte offset from the start of flash
- * @param out          Pointer to the destination buffer (must be @p len bytes)
+ * @param out          Pointer to the destination buffer (must not be NULL)
  * @param len          Number of bytes to read
  */
 void flash_driver_read(uint32_t flash_offset, uint8_t *out, uint32_t len);

drivers/0x0f_flash_cbm/Inc/rp2350_flash.h

@@ -38,13 +38,15 @@
 /**
   * @brief  Erase the containing sector(s) and program data to flash.
   *
-  *         The data buffer must reside in RAM (not flash). Interrupts
+  *         The data buffer must reside in RAM (not flash). Guards against
-  *         are disabled for the duration of the erase/program cycle.
+  *         NULL @p data and out-of-range @p offset, returning immediately
-  *         The write length must be a multiple of FLASH_PAGE_SIZE
+  *         if either is invalid. If @p len would exceed the flash boundary
-  *         (256 bytes); pad with 0xFF if necessary.
+  *         it is clamped to the remaining space. Interrupts are disabled
+  *         for the erase/program cycle. The write length must be a multiple
+  *         of FLASH_PAGE_SIZE (256 bytes); pad with 0xFF if necessary.
   *
   * @param  offset byte offset from the start of flash (sector-aligned)
-  * @param  data   pointer to the source buffer in RAM
+  * @param  data   pointer to the source buffer in RAM (must not be NULL)
   * @param  len    number of bytes to write
   * @retval None
   */
@@ -52,8 +54,13 @@ void flash_write(uint32_t offset, const uint8_t *data, uint32_t len);
 
 /**
   * @brief  Read bytes from on-chip flash via the XIP memory map.
+  *
+  *         Guards against NULL @p out and out-of-range @p offset, returning
+  *         immediately if either is invalid. If @p len would exceed the flash
+  *         boundary it is clamped to the remaining space before the read.
+  *
   * @param  offset byte offset from the start of flash
-  * @param  out    pointer to the destination buffer
+  * @param  out    pointer to the destination buffer (must not be NULL)
   * @param  len    number of bytes to read
   * @retval None
   */

drivers/0x0f_flash_cbm/Src/rp2350_flash.c

@@ -123,6 +123,10 @@ static void flash_erase_program_ram(const FlashRomFns *fns, uint32_t offset,
 
 void flash_write(uint32_t offset, const uint8_t *data, uint32_t len)
 {
+  if (data == NULL || offset >= FLASH_SIZE)
+    return;
+  if (len > FLASH_SIZE - offset)
+    len = FLASH_SIZE - offset;
   FlashRomFns fns;
   lookup_rom_fns(&fns);
   uint32_t primask;
@@ -134,6 +138,10 @@ void flash_write(uint32_t offset, const uint8_t *data, uint32_t len)
 
 void flash_read(uint32_t offset, uint8_t *out, uint32_t len)
 {
+  if (out == NULL || offset >= FLASH_SIZE)
+    return;
+  if (len > FLASH_SIZE - offset)
+    len = FLASH_SIZE - offset;
   const uint8_t *src = (const uint8_t *)(XIP_BASE + offset);
   for (uint32_t i = 0; i < len; i++)
     out[i] = src[i];