From 477e1693c830d3246c4fd7caae8a2f2b8e9f49c1 Mon Sep 17 00:00:00 2001
From: Nico Huber <nico.h@gmx.de>
Date: Tue, 18 Jun 2019 23:56:01 +0200
Subject: dediprog: Bail out on unsupported, long transfers

Change-Id: I7b16701597909c015f98199e73ebb7d923f2b072
Signed-off-by: Nico Huber <nico.h@gmx.de>
Reviewed-on: https://review.coreboot.org/c/flashrom/+/33614
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: David Hendricks <david.hendricks@gmail.com>
Reviewed-by: Ryan O'Leary
Reviewed-by: ron minnich <rminnich@gmail.com>
---
 dediprog.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/dediprog.c b/dediprog.c
index 8552a3cd..8029b64f 100644
--- a/dediprog.c
+++ b/dediprog.c
@@ -362,7 +362,15 @@ static int dediprog_set_spi_speed(unsigned int spispeed_idx)
 
 static int prepare_rw_cmd(
 		struct flashctx *const flash, uint8_t *data_packet, unsigned int count,
-		uint8_t dedi_spi_cmd, unsigned int *value, unsigned int *idx, unsigned int start, int is_read) {
+		uint8_t dedi_spi_cmd, unsigned int *value, unsigned int *idx, unsigned int start, int is_read)
+{
+	if (count >= 1 << 16) {
+		msg_perr("%s: Unsupported transfer length of %u blocks! "
+			 "Please report a bug at flashrom@flashrom.org\n",
+			 __func__, count);
+		return 1;
+	}
+
 	/* First 5 bytes are common in both generations. */
 	data_packet[0] = count & 0xff;
 	data_packet[1] = (count >> 8) & 0xff;
-- 
cgit v1.2.3