Fixes #476: Accessing freed memory in fastboot.c #477

henrik-haltian · 2025-06-13T08:16:33Z

The original code takes a pointer (sparse_header * pfile) to a DataBuffer that is freed in subsequent calls to the request_data() function of the underlying FileBuffer. However, the pointer is still used to determine various aspects of the sparse file later. These may be already changed if the memory is reused, which leads to invalid values and trashed transfers.

Fix is to store required file_hdr_sz, blk_sz, total_blks and total_chunks as separate variables.

The original code takes a pointer (sparse_header * pfile) to a DataBuffer that is freed in subsequent calls to the request_data() function of the underlying FileBuffer. However, the pointer is still used to determine various aspects of the sparse file later. These may be already changed if the memory is reused, which leads to invalid values and trashed transfers. Fix is to store required file_hdr_sz, blk_sz, total_blks and total_chunks as separate variables. Signed-off-by: Henrik Hedberg <henrik.hedberg@haltian.com>

nxpfrankli · 2025-06-13T13:59:19Z

libuuu/fastboot.cpp

+			blk_sz = pfile->blk_sz;
+			total_blks = pfile->total_blks;
+			total_chunks = pfile->total_chunks;
+		}



Does below change work?

sparse_header header = *(sparse_header *)pb->data();
sparse_header * pfile = &header;

nxpfrankli reviewed Jun 13, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fixes #476: Accessing freed memory in fastboot.c #477

Fixes #476: Accessing freed memory in fastboot.c #477

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Fixes #476: Accessing freed memory in fastboot.c #477

Are you sure you want to change the base?

Fixes #476: Accessing freed memory in fastboot.c #477

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!