ShuriZma
/
dolphin
mirror of https://github.com/dolphin-emu/dolphin.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ESFormats: Fix GetRawTicketView 

The vector was not constructed with the proper size, which results in a
buffer overflow as we were using memcpy.

This commit fixes that mistake and also uses a safer way of copying the
ticket view data (std::vector::insert instead of memcpy).
This commit is contained in:
Léo Lam 2017-02-27 21:14:06 +01:00
parent 7ac95c2673
commit 4e462d44f9
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Source/Core/Core/IOS/ES/Formats.cpp
View File

@ -234,14 +234,17 @@ const std::vector<u8>& TicketReader::GetRawTicket() const
std::vector<u8> TicketReader::GetRawTicketView(u32 ticket_num) const std::vector<u8> TicketReader::GetRawTicketView(u32 ticket_num) const
{ {
// A ticket view is composed of a view ID + part of a ticket starting from the ticket_id field. // A ticket view is composed of a view ID + part of a ticket starting from the ticket_id field.
std::vector<u8> view{sizeof(TicketView)}; const auto ticket_start = m_bytes.cbegin() + (GetOffset() + sizeof(Ticket)) * ticket_num;
const auto view_start = ticket_start + offsetof(Ticket, ticket_id);
u32 view_id = Common::swap32(ticket_num); // Copy the view ID to the buffer.
std::vector<u8> view(sizeof(TicketView::view));
const u32 view_id = Common::swap32(ticket_num);
std::memcpy(view.data(), &view_id, sizeof(view_id)); std::memcpy(view.data(), &view_id, sizeof(view_id));
const size_t ticket_start = (GetOffset() + sizeof(Ticket)) * ticket_num; // Copy the rest of the ticket view structure from the ticket.
const size_t view_start = ticket_start + offsetof(Ticket, ticket_id); view.insert(view.end(), view_start, view_start + sizeof(TicketView) - sizeof(view_id));
std::memcpy(view.data() + sizeof(view_id), &m_bytes[view_start], sizeof(view) - sizeof(view_id)); _assert_(view.size() == sizeof(TicketView));
return view; return view;
} }