From ee774323347de0479f74bc062016616a400922bf Mon Sep 17 00:00:00 2001
From: Taylor Yu <code@argon.blue>
Date: Thu, 28 Dec 2023 11:23:12 -0600
Subject: [PATCH] fix heap corruption on LP64 platforms

Mixing unsigned long and int on LP64 platforms caused the chunksize
adjustment to be wrong for flash memory reads from "negative"
addresses. This caused runaway reads and heap corruption, because
chunksize was being adjusted to be greater than numBytes. Simplify
the computation by computing the offset within the page using a mask,
and use the difference between pageSize and offset to limit chunksize.

This is less necessary after the qXfer:memory-map:read support
was added, but it's definitely needed in 2.13, and maybe some
older GDB versions don't support qXfer:memory-map:read.
---
 src/jtag2rw.cc | 7 ++++---
 src/jtag3rw.cc | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/jtag2rw.cc b/src/jtag2rw.cc
index 2d1a96c..2cc497d 100644
--- a/src/jtag2rw.cc
+++ b/src/jtag2rw.cc
@@ -151,11 +151,12 @@ uchar *jtag2::jtagRead(unsigned long addr, unsigned int numBytes)
 	unsigned int chunksize = numBytes;
 	unsigned int targetOffset = 0;
 
-	if (addr + chunksize >= pageAddr + pageSize)
+	offset = addr & mask;
+	if (chunksize > pageSize - offset) {
 	    // Chunk would cross a page boundary, reduce it
 	    // appropriately.
-	    chunksize -= (addr + numBytes - (pageAddr + pageSize));
-	offset = addr - pageAddr;
+	    chunksize = pageSize - offset;
+	}
 
 	while (numBytes > 0)
 	{
diff --git a/src/jtag3rw.cc b/src/jtag3rw.cc
index ada7430..de4e3fb 100644
--- a/src/jtag3rw.cc
+++ b/src/jtag3rw.cc
@@ -150,11 +150,12 @@ uchar *jtag3::jtagRead(unsigned long addr, unsigned int numBytes)
 	unsigned int chunksize = numBytes;
 	unsigned int targetOffset = 0;
 
-	if (addr + numBytes >= pageAddr + pageSize)
+	offset = addr & mask;
+	if (chunksize > pageSize - offset) {
 	    // Chunk would cross a page boundary, reduce it
 	    // appropriately.
-	    chunksize -= (addr + numBytes - (pageAddr + pageSize));
-	offset = addr - pageAddr;
+	    chunksize = pageSize - offset;
+	}
 
 	while (numBytes > 0)
 	{