avr
/
avrdude
mirror of https://github.com/mariusgreuel/avrdude.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix buffer overflow issue 

when in terminal fill mode
This commit is contained in:
MCUdude 2022-04-09 20:08:44 +02:00
parent 7e26a15375
commit 1363c7fe76
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/term.c
View File

@ -373,7 +373,8 @@ static int cmd_write(PROGRAMMER * pgm, struct avrpart * p,
return -1; return -1;
} }
uint8_t * buf = malloc(mem->size + 0x10); // Allocate a buffer guaranteed to be large enough
uint8_t * buf = calloc(mem->size + 0x10 + strlen(argv[argc - 2]), sizeof(uint8_t));
if (buf == NULL) { if (buf == NULL) {
avrdude_message(MSG_INFO, "%s (write): out of memory\n", progname); avrdude_message(MSG_INFO, "%s (write): out of memory\n", progname);
return -1; return -1;
@ -535,6 +536,10 @@ static int cmd_write(PROGRAMMER * pgm, struct avrpart * p,
buf[i - start_offset + ++data.bytes_grown] = data.a[7]; buf[i - start_offset + ++data.bytes_grown] = data.a[7];
} }
} }
// Make sure buf does not overflow
if (i - start_offset + data.bytes_grown > maxsize)
break;
} }
// When in "fill" mode, the maximum size is already predefined // When in "fill" mode, the maximum size is already predefined