From 26f1176ceca2930faba962ebbfd768fc30e7b78c Mon Sep 17 00:00:00 2001 From: revel8n Date: Thu, 9 Aug 2018 04:53:14 -0500 Subject: [PATCH] Ensure token traversal does not overrun declaration size - Updated parameters to include DeclarationSize in order to ensure accesses do not go beyond allocated memory --- src/CxbxKrnl/EmuD3D8.cpp | 3 ++- src/CxbxKrnl/EmuD3D8/VertexShader.cpp | 6 ++++-- src/CxbxKrnl/EmuD3D8/VertexShader.h | 3 ++- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/src/CxbxKrnl/EmuD3D8.cpp b/src/CxbxKrnl/EmuD3D8.cpp index 7051419f6..e2c22acb7 100644 --- a/src/CxbxKrnl/EmuD3D8.cpp +++ b/src/CxbxKrnl/EmuD3D8.cpp @@ -3545,7 +3545,8 @@ HRESULT WINAPI XTL::EMUPATCH(D3DDevice_CreateVertexShader) &VertexShaderSize, g_VertexShaderConstantMode == X_D3DSCM_NORESERVEDCONSTANTS, &bUseDeclarationOnly, - pRecompiledDeclaration); + pRecompiledDeclaration, + DeclarationSize); if (SUCCEEDED(hRet)) { if (!bUseDeclarationOnly) diff --git a/src/CxbxKrnl/EmuD3D8/VertexShader.cpp b/src/CxbxKrnl/EmuD3D8/VertexShader.cpp index 3c5d83112..fbe40fabd 100644 --- a/src/CxbxKrnl/EmuD3D8/VertexShader.cpp +++ b/src/CxbxKrnl/EmuD3D8/VertexShader.cpp @@ -2440,7 +2440,8 @@ extern HRESULT XTL::EmuRecompileVshFunction DWORD *pOriginalSize, boolean bNoReservedConstants, boolean *pbUseDeclarationOnly, - DWORD *pRecompiledDeclaration + DWORD *pRecompiledDeclaration, + DWORD DeclarationSize ) { VSH_SHADER_HEADER *pShaderHeader = (VSH_SHADER_HEADER*)pFunction; @@ -2455,6 +2456,7 @@ extern HRESULT XTL::EmuRecompileVshFunction // as they cause CreateVertexShader to fail bool declaredRegisters[13] = { false }; DWORD* pDeclToken = pRecompiledDeclaration; + DWORD* pDeclEnd = (DWORD*)((BYTE*)pDeclToken + DeclarationSize); do { DWORD regNum = *pDeclToken & X_D3DVSD_VERTEXREGMASK; if (regNum > 12) { @@ -2466,7 +2468,7 @@ extern HRESULT XTL::EmuRecompileVshFunction declaredRegisters[regNum] = true; pDeclToken++; - } while (*pDeclToken != X_D3DVSD_END()); + } while (pDeclToken < pDeclEnd && *pDeclToken != X_D3DVSD_END()); // TODO: support this situation.. if(pFunction == NULL) diff --git a/src/CxbxKrnl/EmuD3D8/VertexShader.h b/src/CxbxKrnl/EmuD3D8/VertexShader.h index fff149950..816d3386b 100644 --- a/src/CxbxKrnl/EmuD3D8/VertexShader.h +++ b/src/CxbxKrnl/EmuD3D8/VertexShader.h @@ -67,7 +67,8 @@ extern HRESULT EmuRecompileVshFunction DWORD *pOriginalSize, boolean bNoReservedConstants, boolean *pbUseDeclarationOnly, - DWORD *pRecompiledDeclaration + DWORD *pRecompiledDeclaration, + DWORD DeclarationSize ); extern void FreeVertexDynamicPatch(CxbxVertexShader *pVertexShader);