From 7023e2345c2dbf008243b844139592affc05d919 Mon Sep 17 00:00:00 2001 From: joerg_wunsch Date: Tue, 17 Sep 2013 15:06:35 +0000 Subject: [PATCH] * jtag3.c (jtag3_initialize): Fix a buffer overflow by limiting the flash page cache size to at most "readsize". For Xmegas with a page size of 512 bytes, the maximum USB packet size was overflowed, and subsequently, a memmove copied beyond the end of the allocated buffer. * jtag3.c (jtag3_read_byte): Add the correct offset also for the various flash regions, so reading the apptable or boot regions yields the correct data. git-svn-id: svn://svn.savannah.nongnu.org/avrdude/trunk/avrdude@1237 81a1dc3b-b13d-400b-aceb-764788c761c2 --- ChangeLog | 11 +++++++++++ jtag3.c | 11 +++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index e8a78025..6d7ed72c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2013-09-17 Joerg Wunsch + + * jtag3.c (jtag3_initialize): Fix a buffer overflow by limiting + the flash page cache size to at most "readsize". For Xmegas with + a page size of 512 bytes, the maximum USB packet size was + overflowed, and subsequently, a memmove copied beyond the end of + the allocated buffer. + * jtag3.c (jtag3_read_byte): Add the correct offset also for the + various flash regions, so reading the apptable or boot regions + yields the correct data. + 2013-09-16 Joerg Wunsch Submitted by Joakim Lubeck: diff --git a/jtag3.c b/jtag3.c index aa91741c..4d364c80 100644 --- a/jtag3.c +++ b/jtag3.c @@ -802,7 +802,10 @@ static int jtag3_initialize(PROGRAMMER * pgm, AVRPART * p) for (ln = lfirst(p->mem); ln; ln = lnext(ln)) { m = ldata(ln); if (strcmp(m->desc, "flash") == 0) { - PDATA(pgm)->flash_pagesize = m->page_size; + if (m->readsize != 0 && m->readsize < m->page_size) + PDATA(pgm)->flash_pagesize = m->readsize; + else + PDATA(pgm)->flash_pagesize = m->page_size; u16_to_b2(xd.flash_page_size, m->page_size); } else if (strcmp(m->desc, "eeprom") == 0) { PDATA(pgm)->eeprom_pagesize = m->page_size; @@ -843,7 +846,10 @@ static int jtag3_initialize(PROGRAMMER * pgm, AVRPART * p) for (ln = lfirst(p->mem); ln; ln = lnext(ln)) { m = ldata(ln); if (strcmp(m->desc, "flash") == 0) { - PDATA(pgm)->flash_pagesize = m->page_size; + if (m->readsize != 0 && m->readsize < m->page_size) + PDATA(pgm)->flash_pagesize = m->readsize; + else + PDATA(pgm)->flash_pagesize = m->page_size; u16_to_b2(md.flash_page_size, m->page_size); u32_to_b4(md.flash_size, (flashsize = m->size)); // do we need it? just a wild guess @@ -1421,6 +1427,7 @@ static int jtag3_read_byte(PROGRAMMER * pgm, AVRPART * p, AVRMEM * mem, strcmp(mem->desc, "application") == 0 || strcmp(mem->desc, "apptable") == 0 || strcmp(mem->desc, "boot") == 0) { + addr += mem->offset & (512 * 1024 - 1); /* max 512 KiB flash */ pagesize = PDATA(pgm)->flash_pagesize; paddr = addr & ~(pagesize - 1); paddr_ptr = &PDATA(pgm)->flash_pageaddr;