From 6b06bc6237ccd63a268f82752d6b6c0265a77571 Mon Sep 17 00:00:00 2001
From: Dean Camera <dean@fourwalledcubicle.com>
Date: Sun, 8 Nov 2015 14:48:35 +1100
Subject: [PATCH] Fixed missing bounds checks and off-by-one in the DFU
 bootloader signature bytes (thanks to Reuti)

---
 Bootloaders/DFU/BootloaderDFU.c | 37 +++++++++++++++++++++++++++------
 LUFA/DoxygenPages/ChangeLog.txt |  1 +
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/Bootloaders/DFU/BootloaderDFU.c b/Bootloaders/DFU/BootloaderDFU.c
index cfe368d32..4a0d73043 100644
--- a/Bootloaders/DFU/BootloaderDFU.c
+++ b/Bootloaders/DFU/BootloaderDFU.c
@@ -818,18 +818,43 @@ static void ProcessReadCommand(void)
 	const uint8_t BootloaderInfo[3] = {BOOTLOADER_VERSION, BOOTLOADER_ID_BYTE1, BOOTLOADER_ID_BYTE2};
 	const uint8_t SignatureInfo[4]  = {0x58, AVR_SIGNATURE_1, AVR_SIGNATURE_2, AVR_SIGNATURE_3};
 
-	uint8_t DataIndexToRead = SentCommand.Data[1];
+	uint8_t DataIndexToRead    = SentCommand.Data[1];
+	bool    ReadAddressInvalid = false;
 
 	if (IS_ONEBYTE_COMMAND(SentCommand.Data, 0x00))                        // Read bootloader info
 	{
-		ResponseByte = BootloaderInfo[DataIndexToRead];
+		if (DataIndexToRead < 3)
+		  ResponseByte = BootloaderInfo[DataIndexToRead];
+		else
+		  ReadAddressInvalid = true;
 	}
 	else if (IS_ONEBYTE_COMMAND(SentCommand.Data, 0x01))                    // Read signature byte
 	{
-		if (DataIndexToRead < 0x60)
-		  ResponseByte = SignatureInfo[DataIndexToRead - 0x30];
-		else
-		  ResponseByte = SignatureInfo[DataIndexToRead - 0x60 + 3];
+		switch (DataIndexToRead)
+		{
+			case 0x30:
+				ResponseByte = SignatureInfo[0];
+				break;
+			case 0x31:
+				ResponseByte = SignatureInfo[1];
+				break;
+			case 0x60:
+				ResponseByte = SignatureInfo[2];
+				break;
+			case 0x61:
+				ResponseByte = SignatureInfo[3];
+				break;
+			default:
+				ReadAddressInvalid = true;
+				break;
+		}
+	}
+
+	if (ReadAddressInvalid)
+	{
+		/* Set the state and status variables to indicate the error */
+		DFU_State  = dfuERROR;
+		DFU_Status = errADDRESS;
 	}
 }
 
diff --git a/LUFA/DoxygenPages/ChangeLog.txt b/LUFA/DoxygenPages/ChangeLog.txt
index 636d469b6..cd88e5f2f 100644
--- a/LUFA/DoxygenPages/ChangeLog.txt
+++ b/LUFA/DoxygenPages/ChangeLog.txt
@@ -32,6 +32,7 @@
   *   - Fixed incorrect signature reported in the CDC/DFU bootloaders for the AT90USB82 (thanks to NicoHood)
   *   - Fixed broken RNDIS demos on Linux machines whose DHCP hosts require a Lease Time option (thanks to Stefan Hellermann)
   *   - Fixed broken LEDs_Disable() implementation for the Arduino Uno board (thanks to NicoHood)
+  *   - Fixed missing bounds checks and off-by-one in the DFU bootloader signature bytes (thanks to Reuti)
   *
   *  \section Sec_ChangeLog140928 Version 140928
   *  <b>New:</b>
-- 
GitLab