From d5ea30b233e8162898d44da2c20dfc88e27d23db Mon Sep 17 00:00:00 2001
From: Kory Maincent <kory.maincent@bootlin.com>
Date: Tue, 7 Apr 2026 14:34:35 +0200
Subject: tools: fwumdata: Fix use-after-free in parse_config()

In parse_config(), devname is dynamically allocated by sscanf().
When sscanf() fails to fill enough fields (rc < 3), devname is freed and
the loop continues to the next line. However, if the next call to sscanf()
fails to match (rc == 0), devname is not written and still holds the stale
freed pointer. The subsequent free(devname) then operates on
already-freed memory.

Fix this by resetting devname to NULL before each sscanf() call, so
that a non-matching call leaves a NULL pointer and the subsequent
free() becomes a harmless no-op.

Reported-by: Coverity Scan
Link: https://lists.denx.de/pipermail/u-boot/2026-April/614161.html
Signed-off-by: Kory Maincent <kory.maincent@bootlin.com>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
---
 tools/fwumdata_src/fwumdata.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/fwumdata_src/fwumdata.c b/tools/fwumdata_src/fwumdata.c
index c5b0f56842d..44195ce2bf2 100644
--- a/tools/fwumdata_src/fwumdata.c
+++ b/tools/fwumdata_src/fwumdata.c
@@ -84,6 +84,7 @@ static int parse_config(const char *fname)
 		if (line[0] == '#' || line[0] == '\n')
 			continue;
 
+		devname = NULL;
 		rc = sscanf(line, "%ms %lli %lx %lx",
 			    &devname,
 			    &devices[i].devoff,
-- 
cgit v1.2.3