From 06329ecfc74dd7ee6631d2054e71aeadb47424f0 Mon Sep 17 00:00:00 2001 From: JosJuice Date: Mon, 25 Mar 2024 18:03:11 +0100 Subject: [PATCH] Core: Fix IPL device m_cursor overflow Not sure if the behavior I'm implementing here is what real hardware does, but since this is a buffer overflow, I'd like to get it fixed quickly. Hardware verification can happen later. https://bugs.dolphin-emu.org/issues/13506 --- Source/Core/Core/HW/EXI/EXI_DeviceIPL.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Source/Core/Core/HW/EXI/EXI_DeviceIPL.cpp b/Source/Core/Core/HW/EXI/EXI_DeviceIPL.cpp index 3cdf942c0f..2a761cfcdd 100644 --- a/Source/Core/Core/HW/EXI/EXI_DeviceIPL.cpp +++ b/Source/Core/Core/HW/EXI/EXI_DeviceIPL.cpp @@ -320,6 +320,8 @@ void CEXIIPL::TransferByte(u8& data) if (!m_command.is_write()) { u32 dev_addr = address - ROM_BASE + m_cursor++; + // TODO: Is this address wrapping correct? Needs a hardware test + dev_addr %= ROM_SIZE; // Technically we should descramble here iff descrambling logic is enabled. // At the moment, we pre-decrypt the whole thing and // ignore the "enabled" bit - see CEXIIPL::CEXIIPL @@ -346,6 +348,8 @@ void CEXIIPL::TransferByte(u8& data) { auto& sram = m_system.GetSRAM(); u32 dev_addr = address - SRAM_BASE + m_cursor++; + // TODO: Is this address wrapping correct? Needs a hardware test + dev_addr %= SRAM_SIZE; if (m_command.is_write()) sram[dev_addr] = data; else