From 83b9feff902580549d7371f1e8f6f99d5f86ade6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Lam?= Date: Sat, 21 Nov 2020 01:30:02 +0100 Subject: [PATCH] Core/Movie: Fix a likely out-of-bounds read for PanicAlertT gameID isn't null terminated since it is just an std::array and .data() returns a char* so {fmt} would go way beyond the bounds of the array when it attempts to determine the length of the string. The fix is to pass a std::string_view to {fmt}. This commit adds a GetGameID() function that can also be used to simplify string comparisons. --- Source/Core/Core/Movie.cpp | 4 ++-- Source/Core/Core/Movie.h | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/Source/Core/Core/Movie.cpp b/Source/Core/Core/Movie.cpp index 7aedcddaa6..fa67c9d0bc 100644 --- a/Source/Core/Core/Movie.cpp +++ b/Source/Core/Core/Movie.cpp @@ -227,10 +227,10 @@ void Init(const BootParameters& boot) ReadHeader(); std::thread md5thread(CheckMD5); md5thread.detach(); - if (strncmp(tmpHeader.gameID.data(), SConfig::GetInstance().GetGameID().c_str(), 6)) + if (tmpHeader.GetGameID() == SConfig::GetInstance().GetGameID()) { PanicAlertFmtT("The recorded game ({0}) is not the same as the selected game ({1})", - tmpHeader.gameID.data(), SConfig::GetInstance().GetGameID()); + tmpHeader.GetGameID(), SConfig::GetInstance().GetGameID()); EndPlayInput(false); } } diff --git a/Source/Core/Core/Movie.h b/Source/Core/Core/Movie.h index 9edf5c2a8b..dd55bea55b 100644 --- a/Source/Core/Core/Movie.h +++ b/Source/Core/Core/Movie.h @@ -8,6 +8,7 @@ #include #include #include +#include #include "Common/CommonTypes.h" @@ -63,6 +64,8 @@ static_assert(sizeof(ControllerState) == 8, "ControllerState should be 8 bytes") #pragma pack(push, 1) struct DTMHeader { + std::string_view GetGameID() const { return {gameID.data(), gameID.size()}; } + std::array filetype; // Unique Identifier (always "DTM"0x1A) std::array gameID; // The Game ID