From b01eaa6d93a009d22b01c695be91f5216517509b Mon Sep 17 00:00:00 2001 From: Eun0us Date: Tue, 10 Feb 2026 19:15:06 +0100 Subject: [PATCH] fix: validate cache page index before bit-shift in spiffs_cache_page_free When a SPIFFS filesystem image is malformed, cp->ix can contain an invalid value (e.g. negative). This leads to undefined behavior in the expression `1 << ix` when ix is negative or >= 32. Add a bounds check at the start of spiffs_cache_page_free() to return SPIFFS_ERR_INTERNAL for out-of-range indices. Found via https://github.com/Eun0us/esp-fuzzer --- src/spiffs_cache.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/spiffs_cache.c b/src/spiffs_cache.c index e7cd4b7..badd1a8 100644 --- a/src/spiffs_cache.c +++ b/src/spiffs_cache.c @@ -33,6 +33,9 @@ static spiffs_cache_page *spiffs_cache_page_get(spiffs *fs, spiffs_page_ix pix) static s32_t spiffs_cache_page_free(spiffs *fs, int ix, u8_t write_back) { s32_t res = SPIFFS_OK; spiffs_cache *cache = spiffs_get_cache(fs); + if (ix < 0 || ix >= (int)cache->cpage_count) { + return SPIFFS_ERR_INTERNAL; + } spiffs_cache_page *cp = spiffs_get_cache_page_hdr(fs, cache, ix); if (cache->cpage_use_map & (1<