* jtag3.c (jtag3_initialize): Fix a buffer overflow by limiting
the flash page cache size to at most "readsize". For Xmegas with a page size of 512 bytes, the maximum USB packet size was overflowed, and subsequently, a memmove copied beyond the end of the allocated buffer. * jtag3.c (jtag3_read_byte): Add the correct offset also for the various flash regions, so reading the apptable or boot regions yields the correct data. git-svn-id: svn://svn.savannah.nongnu.org/avrdude/trunk/avrdude@1237 81a1dc3b-b13d-400b-aceb-764788c761c2
This commit is contained in:
parent
c6e9e34e98
commit
e59b190654
11
ChangeLog
11
ChangeLog
|
@ -1,3 +1,14 @@
|
||||||
|
2013-09-17 Joerg Wunsch <j.gnu@uriah.heep.sax.de>
|
||||||
|
|
||||||
|
* jtag3.c (jtag3_initialize): Fix a buffer overflow by limiting
|
||||||
|
the flash page cache size to at most "readsize". For Xmegas with
|
||||||
|
a page size of 512 bytes, the maximum USB packet size was
|
||||||
|
overflowed, and subsequently, a memmove copied beyond the end of
|
||||||
|
the allocated buffer.
|
||||||
|
* jtag3.c (jtag3_read_byte): Add the correct offset also for the
|
||||||
|
various flash regions, so reading the apptable or boot regions
|
||||||
|
yields the correct data.
|
||||||
|
|
||||||
2013-09-16 Joerg Wunsch <j.gnu@uriah.heep.sax.de>
|
2013-09-16 Joerg Wunsch <j.gnu@uriah.heep.sax.de>
|
||||||
|
|
||||||
Submitted by Joakim Lubeck:
|
Submitted by Joakim Lubeck:
|
||||||
|
|
7
jtag3.c
7
jtag3.c
|
@ -802,6 +802,9 @@ static int jtag3_initialize(PROGRAMMER * pgm, AVRPART * p)
|
||||||
for (ln = lfirst(p->mem); ln; ln = lnext(ln)) {
|
for (ln = lfirst(p->mem); ln; ln = lnext(ln)) {
|
||||||
m = ldata(ln);
|
m = ldata(ln);
|
||||||
if (strcmp(m->desc, "flash") == 0) {
|
if (strcmp(m->desc, "flash") == 0) {
|
||||||
|
if (m->readsize != 0 && m->readsize < m->page_size)
|
||||||
|
PDATA(pgm)->flash_pagesize = m->readsize;
|
||||||
|
else
|
||||||
PDATA(pgm)->flash_pagesize = m->page_size;
|
PDATA(pgm)->flash_pagesize = m->page_size;
|
||||||
u16_to_b2(xd.flash_page_size, m->page_size);
|
u16_to_b2(xd.flash_page_size, m->page_size);
|
||||||
} else if (strcmp(m->desc, "eeprom") == 0) {
|
} else if (strcmp(m->desc, "eeprom") == 0) {
|
||||||
|
@ -843,6 +846,9 @@ static int jtag3_initialize(PROGRAMMER * pgm, AVRPART * p)
|
||||||
for (ln = lfirst(p->mem); ln; ln = lnext(ln)) {
|
for (ln = lfirst(p->mem); ln; ln = lnext(ln)) {
|
||||||
m = ldata(ln);
|
m = ldata(ln);
|
||||||
if (strcmp(m->desc, "flash") == 0) {
|
if (strcmp(m->desc, "flash") == 0) {
|
||||||
|
if (m->readsize != 0 && m->readsize < m->page_size)
|
||||||
|
PDATA(pgm)->flash_pagesize = m->readsize;
|
||||||
|
else
|
||||||
PDATA(pgm)->flash_pagesize = m->page_size;
|
PDATA(pgm)->flash_pagesize = m->page_size;
|
||||||
u16_to_b2(md.flash_page_size, m->page_size);
|
u16_to_b2(md.flash_page_size, m->page_size);
|
||||||
u32_to_b4(md.flash_size, (flashsize = m->size));
|
u32_to_b4(md.flash_size, (flashsize = m->size));
|
||||||
|
@ -1421,6 +1427,7 @@ static int jtag3_read_byte(PROGRAMMER * pgm, AVRPART * p, AVRMEM * mem,
|
||||||
strcmp(mem->desc, "application") == 0 ||
|
strcmp(mem->desc, "application") == 0 ||
|
||||||
strcmp(mem->desc, "apptable") == 0 ||
|
strcmp(mem->desc, "apptable") == 0 ||
|
||||||
strcmp(mem->desc, "boot") == 0) {
|
strcmp(mem->desc, "boot") == 0) {
|
||||||
|
addr += mem->offset & (512 * 1024 - 1); /* max 512 KiB flash */
|
||||||
pagesize = PDATA(pgm)->flash_pagesize;
|
pagesize = PDATA(pgm)->flash_pagesize;
|
||||||
paddr = addr & ~(pagesize - 1);
|
paddr = addr & ~(pagesize - 1);
|
||||||
paddr_ptr = &PDATA(pgm)->flash_pageaddr;
|
paddr_ptr = &PDATA(pgm)->flash_pageaddr;
|
||||||
|
|
Loading…
Reference in New Issue