From 148a7a60d81875863f45572e5cdbd619c1d4aa98 Mon Sep 17 00:00:00 2001
From: Marshall Dawson <marshalldawson3rd@gmail.com>
Date: Wed, 19 Jul 2017 16:14:03 -0600
Subject: libpayload: Fix unaligned buffer logic in default_memset

Fix an issue when setting an unaligned buffer where n is less
than the difference of the rounded up pointer and the pointer.
This was identified where n=1 was passed.  n was decremented
once, as expected, then decremented again after the while()
evaluated to false.  This resulted in a new n of 4GB.

Change-Id: I862671bbe7efa8d370d0148e22ea55407e260053
Signed-off-by: Marshall Dawson <marshalldawson3rd@gmail.com>
Reviewed-on: https://review.coreboot.org/20655
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Marc Jones <marc@marcjonesconsulting.com>
---
 payloads/libpayload/libc/memory.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'payloads/libpayload')

diff --git a/payloads/libpayload/libc/memory.c b/payloads/libpayload/libc/memory.c
index 2c44764edb..8d0172cc44 100644
--- a/payloads/libpayload/libc/memory.c
+++ b/payloads/libpayload/libc/memory.c
@@ -41,8 +41,10 @@ static void *default_memset(void *s, int c, size_t n)
 	u8 *p = s;
 
 	s = (void *)ALIGN_UP((uintptr_t)s, sizeof(unsigned long));
-	while (p != (u8 *)s && n--)
+	while (p != (u8 *)s && n) {
 		*p++ = c;
+		n--;
+	}
 
 	for (i = 1; i < sizeof(unsigned long); i <<= 1)
 		w = (w << (i * 8)) | w;
-- 
cgit v1.2.3