[avrdude-dev] Found a bug in stk500v2.c

[Robert Kavaler]

In function stk600_xprog_paged_load there is a bug, perhaps a few bugs, 
in the way memory is fetched from the device and stored in memory. Found 
problem when using avrispmkII tools talking to ATTINY104, but the 
problem may be more widespread. The function appears to take n_bytes as 
a parameter and mem->buf as the target memory of the transfer but it is 
very possible for overrunning mem->buf (and it happened to me) size 
mem->size is not used to limit writing to mem->buf. Also, the entire 
read loops appears to use page_size incorrectly and in fact if you can 
easily transfer more bytes that requested into mem->buf.

avrdude -C avrdude.conf -c avrispmkII -p t104

What appears to happen in this case is that mem->buf is allocated only a 
buffer of size 3 and write are all page_size which is 16 and that 
overrun causes the process to coredump on exit (i.e. memory corruption).

I would like to fix it better than my current fix but I need the 
validate that:
1. this function should read n_bytes total which each read is limited to 
page_size bytes.
2. If there is not enough memory (n_bytes > mem->size) should I return 
or just truncate the transfer to the buffer.

Robert