From patchwork Wed May  4 11:37:11 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [2/2] dediprog: Fix bug where too many transfers would be queued
Date: Wed, 04 May 2016 11:37:11 -0000
From: Nico Huber <nico.huber@secunet.com>
X-Patchwork-Id: 4442
Message-Id: <1462361831-30320-2-git-send-email-nico.huber@secunet.com>
To: <flashrom@flashrom.org>

We didn't check the total number of queued transfers in the inner most
loop. Up to DEDIPROG_ASYNC_TRANSFERS - 1 invalid transfers could be
queued therefore. So add another check on the total number.

Signed-off-by: Nico Huber <nico.huber@secunet.com>
Acked-by: David Hendricks <david.hendricks@gmail.com>

---
dediprog.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dediprog.c b/dediprog.c
index b7276e5..6f82772 100644
--- a/dediprog.c
+++ b/dediprog.c
@@ -462,7 +462,9 @@ static int dediprog_spi_bulk_read(struct flashctx *flash, uint8_t *buf, unsigned
 
 	/* Now transfer requested chunks using libusb's asynchronous interface. */
 	while (!status.error && (status.queued_idx < count)) {
-		while ((status.queued_idx - status.finished_idx) < DEDIPROG_ASYNC_TRANSFERS) {
+		while ((status.queued_idx < count) &&
+		       (status.queued_idx - status.finished_idx) < DEDIPROG_ASYNC_TRANSFERS)
+		{
 			transfer = transfers[status.queued_idx % DEDIPROG_ASYNC_TRANSFERS];
 			libusb_fill_bulk_transfer(transfer, dediprog_handle, 0x80 | dediprog_in_endpoint,
 					(unsigned char *)buf + status.queued_idx * chunksize, chunksize,