From f1c27b6e4aecfd762c9be25c1d5c8ec7b3dacecb Mon Sep 17 00:00:00 2001
From: Gaetan Perrot <gaetan.perrot@spacecubics.com>
Date: Wed, 2 Jul 2025 16:36:26 +0900
Subject: [PATCH] drivers: counter: Fix possible null pointer dereference

The function counter_rz_gtm_set_alarm was accessing alarm_cfg->flags and
alarm_cfg->ticks before verifying that alarm_cfg is non-NULL.

This could lead to undefined behavior or crashes if a NULL pointer is
passed.

The pointer check has been moved before any dereference to fix this bug.

Signed-off-by: Gaetan Perrot <gaetan.perrot@spacecubics.com>
---
 drivers/counter/counter_renesas_rz_gtm.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/counter/counter_renesas_rz_gtm.c b/drivers/counter/counter_renesas_rz_gtm.c
index 836d213d776..0db2f3237af 100644
--- a/drivers/counter/counter_renesas_rz_gtm.c
+++ b/drivers/counter/counter_renesas_rz_gtm.c
@@ -190,8 +190,8 @@ static int counter_rz_gtm_set_alarm(const struct device *dev, uint8_t chan,
 	const struct counter_rz_gtm_config *cfg = dev->config;
 	struct counter_rz_gtm_data *data = dev->data;
 
-	bool absolute = alarm_cfg->flags & COUNTER_ALARM_CFG_ABSOLUTE;
-	uint32_t val = alarm_cfg->ticks;
+	bool absolute;
+	uint32_t val;
 	k_spinlock_key_t key;
 	bool irq_on_late;
 	uint32_t max_rel_val;
@@ -201,6 +201,10 @@ static int counter_rz_gtm_set_alarm(const struct device *dev, uint8_t chan,
 	if (!alarm_cfg) {
 		return -EINVAL;
 	}
+
+	absolute = alarm_cfg->flags & COUNTER_ALARM_CFG_ABSOLUTE;
+	val = alarm_cfg->ticks;
+
 	/* Alarm callback is mandatory */
 	if (!alarm_cfg->callback) {
 		return -EINVAL;