From 1576b8303eadca04c3c9f68291c6dd0bae3178dc Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Mon, 28 May 2012 13:00:58 +0900
Subject: [PATCH] flash write range check

---
 ChangeLog |  1 +
 src/sys.c | 11 +++++++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 224b8bd..9c039c0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@
 	* boards/common/hwinit.c (hwinit0): ... and define here.
 	(hwinit0) [DFU_SUPPORT]:  Don't set SCB->VTOR here.
 	* src/sys.c (reset) [DFU_SUPPORT]: Set SCB->VTOR here.
+	(flash_write): Range check.
 
 	* polarssl-0.14.0/library/aes.c (FT0, FT1, FT2): Specify the
 	section ".sys", so that we will have more room for flash ROM.
diff --git a/src/sys.c b/src/sys.c
index c8065f2..92246f2 100644
--- a/src/sys.c
+++ b/src/sys.c
@@ -4,6 +4,10 @@
 #include "board.h"
 #include "usb_lld.h"
 
+extern uint8_t __flash_start__, __flash_end__;
+extern uint8_t _regnual_start;
+
+
 static const uint8_t *
 unique_device_id (void)
 {
@@ -126,6 +130,11 @@ static int
 flash_write (uint32_t dst_addr, const uint8_t *src, size_t len)
 {
   int status;
+  uint32_t flash_start = (uint32_t)&__flash_start__;
+  uint32_t flash_end = (uint32_t)&__flash_end__;
+
+  if (dst_addr < flash_start || dst_addr + len > flash_end)
+    return 0;
 
   while (len)
     {
@@ -174,8 +183,6 @@ flash_protect (void)
   return (option_bytes_value & 0xff) == 0xff ? 1 : 0;
 }
 
-extern uint8_t __flash_start__, __flash_end__;
-extern uint8_t _regnual_start;
 
 static void __attribute__((naked))
 flash_mass_erase_and_exec (void)