From 0f1dc4879abf0d9289a9abbf398f65e0f272f1d4 Mon Sep 17 00:00:00 2001
From: Jon Lin <jon.lin@rock-chips.com>
Date: Mon, 15 Jun 2020 15:24:48 +0800
Subject: [PATCH] mtd: mtd_blk: Check map table block address overflow

1.Check map table block address overflow
2.Reinit map table original value

Change-Id: I4450b5a6856e38e2624da9db31d5eb98de7f5696
Signed-off-by: Jon Lin <jon.lin@rock-chips.com>
---
 drivers/mtd/mtd_blk.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/mtd/mtd_blk.c b/drivers/mtd/mtd_blk.c
index 002d9a7695..c9780dc8fa 100644
--- a/drivers/mtd/mtd_blk.c
+++ b/drivers/mtd/mtd_blk.c
@@ -49,13 +49,17 @@ int mtd_blk_map_table_init(struct blk_desc *desc,
 	} else {
 		blk_total = (mtd->size + mtd->erasesize - 1) >> mtd->erasesize_shift;
 		if (!mtd_map_blk_table) {
-			mtd_map_blk_table = (int *)malloc(blk_total * 4);
-			memset(mtd_map_blk_table, MTD_BLK_TABLE_BLOCK_UNKNOWN,
-			       blk_total * 4);
+			mtd_map_blk_table = (int *)malloc(blk_total * sizeof(int));
+			for (i = 0; i < blk_total; i++)
+				mtd_map_blk_table[i] = MTD_BLK_TABLE_BLOCK_UNKNOWN;
 		}
 
 		blk_begin = (u32)offset >> mtd->erasesize_shift;
 		blk_cnt = ((u32)((offset & mtd->erasesize_mask) + length) >> mtd->erasesize_shift);
+		if (blk_begin >= blk_total) {
+			pr_err("map table blk begin[%d] overflow\n", blk_begin);
+			return -EINVAL;
+		}
 		if ((blk_begin + blk_cnt) > blk_total)
 			blk_cnt = blk_total - blk_begin;