[avrdude-dev] [bug #39691] Buffer overrun when reading EEPROM byte with JTAGICE3

Sun, 04 Aug 2013 09:52:59 -0700 

URL:
  <http://savannah.nongnu.org/bugs/?39691>

                 Summary: Buffer overrun when reading EEPROM byte with
JTAGICE3
                 Project: AVR Downloader/UploaDEr
            Submitted by: djglaze
            Submitted on: Sun 04 Aug 2013 04:52:14 PM GMT
                Category: None
                Severity: 3 - Normal
                Priority: 5 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: David Glaze
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

Avrdude has a bug that causes it to write outside a buffer when attempting to
use the erase-rewrite cycle counter feature (-y) with the JTAGICE3 programmer
on an ATxmega128A3U part.  The resulting error is:


*** glibc detected *** avrdude: malloc(): memory corruption (fast):
0x0000000000675350 ***


The problem has been tracked down to the jtag3_read_byte() routine in jtag3.c,
in the code snippit:


  } else if (strcmp(mem->desc, "eeprom") == 0) {
    if ( (pgm->flag & PGM_FL_IS_DW) || ( p->flags & AVRPART_HAS_PDI ) ) {
      cmd[3] = MTYPE_EEPROM;
    } else {
      cmd[3] = MTYPE_EEPROM_PAGE;
    }
    pagesize = mem->page_size;
    paddr = addr & ~(pagesize - 1);
    paddr_ptr = &PDATA(pgm)->eeprom_pageaddr;
    cache_ptr = PDATA(pgm)->eeprom_pagecache;
  } else if (strcmp(mem->desc, "lfuse") == 0) {


I believe this should instead be:


  } else if (strcmp(mem->desc, "eeprom") == 0) {
    if ( (pgm->flag & PGM_FL_IS_DW) || ( p->flags & AVRPART_HAS_PDI ) ) {
      cmd[3] = MTYPE_EEPROM;
    } else {
      cmd[3] = MTYPE_EEPROM_PAGE;
      pagesize = mem->page_size;
      paddr = addr & ~(pagesize - 1);
      paddr_ptr = &PDATA(pgm)->eeprom_pageaddr;
      cache_ptr = PDATA(pgm)->eeprom_pagecache;
    }
  } else if (strcmp(mem->desc, "lfuse") == 0) {


so that when doing a byte read (MTYPE_EEPROM), the pagesize variable remains
unset and won't trigger the page buffering routines below.

This fix appears to work correctly for me, although it then reveals other
downwind issues (which have been submitted in another ticket).





    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?39691>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/


_______________________________________________
avrdude-dev mailing list
[email protected]
https://lists.nongnu.org/mailman/listinfo/avrdude-dev

Reply via email to