Fix buffer overflow issue

MCUdude · MCUdude · commit 1363c7fe768b · 2022-04-09T20:08:44.000+02:00
when in terminal fill mode
diff --git a/src/term.c b/src/term.c
@@ -373,7 +373,8 @@ static int cmd_write(PROGRAMMER * pgm, struct avrpart * p,
     return -1;
   }
 
-  uint8_t * buf = malloc(mem->size + 0x10);
+  // Allocate a buffer guaranteed to be large enough
+  uint8_t * buf = calloc(mem->size + 0x10 + strlen(argv[argc - 2]), sizeof(uint8_t));
   if (buf == NULL) {
     avrdude_message(MSG_INFO, "%s (write): out of memory\n", progname);
     return -1;
@@ -535,6 +536,10 @@ static int cmd_write(PROGRAMMER * pgm, struct avrpart * p,
         buf[i - start_offset + ++data.bytes_grown] = data.a[7];
       }
     }
+
+    // Make sure buf does not overflow
+    if (i - start_offset + data.bytes_grown > maxsize)
+      break;
   }
 
   // When in "fill" mode, the maximum size is already predefined

Original file line number	Diff line number	Diff line change
`@@ -373,7 +373,8 @@ static int cmd_write(PROGRAMMER * pgm, struct avrpart * p,`
`373`	`373`	`return -1;`
`374`	`374`	`}`
`375`	`375`
`376`		`- uint8_t * buf = malloc(mem->size + 0x10);`
	`376`	`+ // Allocate a buffer guaranteed to be large enough`
	`377`	`+ uint8_t * buf = calloc(mem->size + 0x10 + strlen(argv[argc - 2]), sizeof(uint8_t));`
`377`	`378`	`if (buf == NULL) {`
`378`	`379`	`avrdude_message(MSG_INFO, "%s (write): out of memory\n", progname);`
`379`	`380`	`return -1;`
`@@ -535,6 +536,10 @@ static int cmd_write(PROGRAMMER * pgm, struct avrpart * p,`
`535`	`536`	`buf[i - start_offset + ++data.bytes_grown] = data.a[7];`
`536`	`537`	`}`
`537`	`538`	`}`
	`539`	`+`
	`540`	`+ // Make sure buf does not overflow`
	`541`	`+ if (i - start_offset + data.bytes_grown > maxsize)`
	`542`	`+ break;`
`538`	`543`	`}`
`539`	`544`
`540`	`545`	`// When in "fill" mode, the maximum size is already predefined`