[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[avrdude-dev] [bug #39691] Buffer overrun when reading EEPROM byte with
From: |
David Glaze |
Subject: |
[avrdude-dev] [bug #39691] Buffer overrun when reading EEPROM byte with JTAGICE3 |
Date: |
Sun, 04 Aug 2013 16:52:15 +0000 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11 |
URL:
<http://savannah.nongnu.org/bugs/?39691>
Summary: Buffer overrun when reading EEPROM byte with
JTAGICE3
Project: AVR Downloader/UploaDEr
Submitted by: djglaze
Submitted on: Sun 04 Aug 2013 04:52:14 PM GMT
Category: None
Severity: 3 - Normal
Priority: 5 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Originator Name: David Glaze
Originator Email:
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
Avrdude has a bug that causes it to write outside a buffer when attempting to
use the erase-rewrite cycle counter feature (-y) with the JTAGICE3 programmer
on an ATxmega128A3U part. The resulting error is:
*** glibc detected *** avrdude: malloc(): memory corruption (fast):
0x0000000000675350 ***
The problem has been tracked down to the jtag3_read_byte() routine in jtag3.c,
in the code snippit:
} else if (strcmp(mem->desc, "eeprom") == 0) {
if ( (pgm->flag & PGM_FL_IS_DW) || ( p->flags & AVRPART_HAS_PDI ) ) {
cmd[3] = MTYPE_EEPROM;
} else {
cmd[3] = MTYPE_EEPROM_PAGE;
}
pagesize = mem->page_size;
paddr = addr & ~(pagesize - 1);
paddr_ptr = &PDATA(pgm)->eeprom_pageaddr;
cache_ptr = PDATA(pgm)->eeprom_pagecache;
} else if (strcmp(mem->desc, "lfuse") == 0) {
I believe this should instead be:
} else if (strcmp(mem->desc, "eeprom") == 0) {
if ( (pgm->flag & PGM_FL_IS_DW) || ( p->flags & AVRPART_HAS_PDI ) ) {
cmd[3] = MTYPE_EEPROM;
} else {
cmd[3] = MTYPE_EEPROM_PAGE;
pagesize = mem->page_size;
paddr = addr & ~(pagesize - 1);
paddr_ptr = &PDATA(pgm)->eeprom_pageaddr;
cache_ptr = PDATA(pgm)->eeprom_pagecache;
}
} else if (strcmp(mem->desc, "lfuse") == 0) {
so that when doing a byte read (MTYPE_EEPROM), the pagesize variable remains
unset and won't trigger the page buffering routines below.
This fix appears to work correctly for me, although it then reveals other
downwind issues (which have been submitted in another ticket).
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?39691>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [avrdude-dev] [bug #39691] Buffer overrun when reading EEPROM byte with JTAGICE3,
David Glaze <=