diff --git a/examples/device/cdc_msc/src/msc_disk.c b/examples/device/cdc_msc/src/msc_disk.c index d2f8628f13..c1132bbfcb 100644 --- a/examples/device/cdc_msc/src/msc_disk.c +++ b/examples/device/cdc_msc/src/msc_disk.c @@ -192,6 +192,9 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff // out of ramdisk if ( lba >= DISK_BLOCK_NUM ) return -1; + // Check for overflow of offset + bufsize + if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; + uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize); diff --git a/examples/device/cdc_msc_freertos/src/msc_disk.c b/examples/device/cdc_msc_freertos/src/msc_disk.c index d2f8628f13..e13c244364 100644 --- a/examples/device/cdc_msc_freertos/src/msc_disk.c +++ b/examples/device/cdc_msc_freertos/src/msc_disk.c @@ -191,6 +191,8 @@ int32_t tud_msc_read10_cb(uint8_t lun, uint32_t lba, uint32_t offset, void* buff // out of ramdisk if ( lba >= DISK_BLOCK_NUM ) return -1; + // Check for overflow of offset + bufsize + if ( offset + bufsize >= DISK_BLOCK_SIZE ) return -1; uint8_t const* addr = msc_disk[lba] + offset; memcpy(buffer, addr, bufsize);