patch #9732: usbtiny_paged_load overflows buffer e.g. when reading EEPROM

* usbtiny.c (usbtiny_paged_load, usbtiny_paged_write): ensure chunk
does not overflow memory area

Submitted by Joel Ray Holveck




git-svn-id: svn://svn.savannah.nongnu.org/avrdude/trunk/avrdude@1444 81a1dc3b-b13d-400b-aceb-764788c761c2

ChangeLog

@@ -1,3 +1,10 @@
+2020-09-18  Joerg Wunsch <j.gnu@uriah.heep.sax.de>
+
+	Submitted by Joel Ray Holveck
+	patch #9732: usbtiny_paged_load overflows buffer e.g. when reading EEPROM
+	* usbtiny.c (usbtiny_paged_load, usbtiny_paged_write): ensure chunk
+	does not overflow memory area
+
 2020-09-16  Joerg Wunsch <j.gnu@uriah.heep.sax.de>
 
 	Submitted by Adrian Klieber:

NEWS

@@ -72,6 +72,7 @@ Current:
     patch #9819: Address several leaks in SVN rev 1429
     patch #9820: Fix some out-of-bounds/uninitialized issues
     patch #9818: correct typos in SVN rev 1429
+    patch #9732: usbtiny_paged_load overflows buffer e.g. when reading EEPROM
 
   * Internals:
     - New avrdude.conf keyword "family_id", used to verify SIB attributes

usbtiny.c

@@ -641,6 +641,9 @@ static int usbtiny_paged_load (PROGRAMMER * pgm, AVRPART * p, AVRMEM* m,
 
   for (; addr < maxaddr; addr += chunk) {
     chunk = PDATA(pgm)->chunk_size;         // start with the maximum chunk size possible
+    if (addr + chunk > maxaddr) {
+        chunk = maxaddr - addr;
+    }
 
     // Send the chunk of data to the USBtiny with the function we want
     // to perform
@@ -696,6 +699,9 @@ static int usbtiny_paged_write(PROGRAMMER * pgm, AVRPART * p, AVRMEM * m,
   for (; addr < maxaddr; addr += chunk) {
     // start with the max chunk size
     chunk = PDATA(pgm)->chunk_size;
+    if (addr + chunk > maxaddr) {
+        chunk = maxaddr - addr;
+    }
 
     // we can only write a page at a time anyways
     if (m->paged && chunk > page_size)