Merge pull request #10954 from shuffle2/ios-hdr-overflow

WiiSave: protect against a stack buffer overflow
2022-08-06 03:06:10 +02:00 · 2022-08-06 03:06:10 +02:00 · 92ed0e33a8
parent 3595c8b295 3ca673a675
commit 92ed0e33a8
1 changed files with 9 additions and 2 deletions
--- a/Source/Core/Core/HW/WiiSave.cpp
+++ b/Source/Core/Core/HW/WiiSave.cpp
@ -104,14 +104,21 @@ public:
    if (!m_uid || !m_gid)
      return {};

-    const auto banner = m_fs->OpenFile(*m_uid, *m_gid, m_data_dir + "/banner.bin", FS::Mode::Read);
+    const auto banner_path = m_data_dir + "/banner.bin";
+    const auto banner = m_fs->OpenFile(*m_uid, *m_gid, banner_path, FS::Mode::Read);
    if (!banner)
      return {};
    Header header{};
    header.banner_size = banner->GetStatus()->size;
+    if (header.banner_size > sizeof(header.banner))
+    {
+      ERROR_LOG_FMT(CORE, "NandStorage::ReadHeader: {} corrupted banner_size: {:x}", banner_path,
+                    header.banner_size);
+      return {};
+    }
    header.tid = m_tid;
    header.md5 = s_md5_blanker;
-    const u8 mode = GetBinMode(m_data_dir + "/banner.bin");
+    const u8 mode = GetBinMode(banner_path);
    if (!mode || !banner->Read(header.banner, header.banner_size))
      return {};
    header.permissions = mode;