From 0c7d5d796d1f218f445ad43389cb6c9a9925c228 Mon Sep 17 00:00:00 2001 From: riccardom Date: Sat, 25 Jun 2011 21:50:00 +0000 Subject: [PATCH] Fix buffer overflow when creating firmware.dfc file string When the user uses an external firmware image, there is a call to getpathnoext() in firmware.cpp:571 in order to generate a file name for the saved firmware config file. The size of the MMU.fw.userfile char buffer is only 260, as declared in mc.h:73. However, getpathnoext() expects the buffer size to be MAX_PATH, which is declared as 1024 in types.h:77. The buffer overflow occurs in path.h:293 with the call to strncpy(), which copies 1024 chars into MMU.fw.userfile, which is only 260 chars. This patch fixes this bug by setting the MMU.fw.userfile char buffer to a size of MAX_PATH. This is consistent with the char buffers used for the other file names. From rogerman, #3328686 --- desmume/src/mc.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/desmume/src/mc.h b/desmume/src/mc.h index 92560777f..76c3da04c 100644 --- a/desmume/src/mc.h +++ b/desmume/src/mc.h @@ -1,6 +1,6 @@ /* Copyright (C) 2006 thoduv Copyright (C) 2006 Theo Berkau - Copyright (C) 2008-2010 DeSmuME team + Copyright (C) 2008-2011 DeSmuME team This file is part of DeSmuME @@ -70,7 +70,7 @@ struct memory_chip_t // needs only for firmware bool isFirmware; - char userfile[260]; + char userfile[MAX_PATH]; }; //the new backup system by zeromus