From 185202c469977ab3c9b55cec7998f7746d518da1 Mon Sep 17 00:00:00 2001
From: Kyösti Mälkki <kyosti.malkki@gmail.com>
Date: Sat, 19 May 2018 08:58:01 +0300
Subject: libpayload: Fix payload .bss corruption
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Third call to newwin() corrupted payload context.
Fix array indexing and check for boundary.

Sample payload coreinfo was affected, loader_eax
variable got corrupted on my particular build.

Change-Id: Iee98901cf57f0689f65ac43aa7e60e8aea092500
Signed-off-by: Kyösti Mälkki <kyosti.malkki@gmail.com>
Reviewed-on: https://review.coreboot.org/26394
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Nico Huber <nico.h@gmx.de>
---
 payloads/libpayload/curses/tinycurses.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'payloads/libpayload')

diff --git a/payloads/libpayload/curses/tinycurses.c b/payloads/libpayload/curses/tinycurses.c
index 6f3f8b8d82..789accb475 100644
--- a/payloads/libpayload/curses/tinycurses.c
+++ b/payloads/libpayload/curses/tinycurses.c
@@ -65,7 +65,7 @@
 
 /* Statically allocate all structures (no malloc())! */
 static WINDOW window_list[MAX_WINDOWS];
-static int window_count = 1;
+static int window_count = 0;
 
 // struct ldat foo;
 static struct ldat ldat_list[MAX_WINDOWS][SCREEN_Y];
@@ -386,12 +386,17 @@ int mvwprintw(WINDOW *win, int y, int x, const char *fmt, ...)
 // SCREEN *newterm (NCURSES_CONST char *,FILE *,FILE *) {}
 WINDOW *newwin(int num_lines, int num_columns, int begy, int begx)
 {
+	WINDOW *win;
 	int i;
 
 	/* Use next statically allocated window. */
-	// TODO: Error handling.
+	// TODO: Error handling. Yes. Please.
 	// TODO: WINDOWLIST?
-	WINDOW *win = &window_list[window_count++];
+
+	if (window_count >= MAX_WINDOWS)
+		return NULL;
+
+	win = &window_list[window_count++];
 
 	// bool is_pad = (flags & _ISPAD);
 
-- 
cgit v1.2.3