From 14e4cd09c93c02fd01a581ae3153fad26d5d8e71 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonas=20Th=C3=B6rnblad?= <jonas@tillitis.se>
Date: Tue, 6 May 2025 12:53:12 +0200
Subject: [PATCH] ch552: Fix FIDO data copy

Fix potential out of bounds write.
---
 hw/usb_interface/ch552_fw/src/main.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/hw/usb_interface/ch552_fw/src/main.c b/hw/usb_interface/ch552_fw/src/main.c
index 91d1c2f..c8cbb5c 100644
--- a/hw/usb_interface/ch552_fw/src/main.c
+++ b/hw/usb_interface/ch552_fw/src/main.c
@@ -1687,18 +1687,19 @@ void main()
             // Copy FIDO data from UartRxBuf to FrameBuf
             if (FrameStarted && !FrameDiscard && !FidoDataAvailable) {
                 if (FrameMode == IO_FIDO) {
-                    // Check if a complete frame has been received
-                    if (UartRxBufByteCount >= FrameRemainingBytes) {
+                    if ((FrameRemainingBytes >= MAX_FRAME_SIZE) &&
+                        (UartRxBufByteCount >= MAX_FRAME_SIZE)) {
                         circular_copy(FrameBuf,
                                       UartRxBuf,
                                       UART_RX_BUF_SIZE,
                                       UartRxBufOutputPointer,
-                                      FrameRemainingBytes);
+                                      MAX_FRAME_SIZE);
                         FrameBufLength = MAX_FRAME_SIZE;
                         // Update output pointer
                         UartRxBufOutputPointer = increment_pointer(UartRxBufOutputPointer,
-                                                                   FrameRemainingBytes,
+                                                                   MAX_FRAME_SIZE,
                                                                    UART_RX_BUF_SIZE);
+                        FrameRemainingBytes -= MAX_FRAME_SIZE;
                         FidoDataAvailable = 1;
                         cts_start();
                     }