From f84df9a78d35eb458ab19c6dac8a0d5f00013886 Mon Sep 17 00:00:00 2001
From: Nico Huber <nico.huber@secunet.com>
Date: Wed, 4 May 2016 13:24:07 +0200
Subject: [PATCH] dediprog: Fix bug where too many transfers would be queued

We didn't check the total number of queued transfers in the inner most
loop. Up to DEDIPROG_ASYNC_TRANSFERS - 1 invalid transfers could be
queued therefore. So add another check on the total number.

Change-Id: I91a8de47db7107455f5fc63ab2f13a0bd50c5b63
Signed-off-by: Nico Huber <nico.huber@secunet.com>
Acked-by: David Hendricks <david.hendricks@gmail.com>
Reviewed-on: https://review.coreboot.org/19351
Tested-by: build bot (Jenkins)
Reviewed-by: Nico Huber <nico.h@gmx.de>
---
 dediprog.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/dediprog.c b/dediprog.c
index b7276e536..6f827724e 100644
--- a/dediprog.c
+++ b/dediprog.c
@@ -462,7 +462,9 @@ static int dediprog_spi_bulk_read(struct flashctx *flash, uint8_t *buf, unsigned
 
 	/* Now transfer requested chunks using libusb's asynchronous interface. */
 	while (!status.error && (status.queued_idx < count)) {
-		while ((status.queued_idx - status.finished_idx) < DEDIPROG_ASYNC_TRANSFERS) {
+		while ((status.queued_idx < count) &&
+		       (status.queued_idx - status.finished_idx) < DEDIPROG_ASYNC_TRANSFERS)
+		{
 			transfer = transfers[status.queued_idx % DEDIPROG_ASYNC_TRANSFERS];
 			libusb_fill_bulk_transfer(transfer, dediprog_handle, 0x80 | dediprog_in_endpoint,
 					(unsigned char *)buf + status.queued_idx * chunksize, chunksize,