From 31dfb53152bc22f2ad1aab4fdd13c01b67444d2d Mon Sep 17 00:00:00 2001 From: Nicola Vella Date: Fri, 6 Oct 2023 19:30:03 +0200 Subject: [PATCH 1/2] Fix heap buffer overflow in GCMemcardRaw --- Source/Core/Core/HW/GCMemcard/GCMemcardRaw.cpp | 6 +++--- Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.cpp b/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.cpp index a622b1145e..f5a3f6a8ba 100644 --- a/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.cpp +++ b/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.cpp @@ -169,7 +169,7 @@ void MemoryCard::MakeDirty() s32 MemoryCard::Read(u32 src_address, s32 length, u8* dest_address) { - if (!IsAddressInBounds(src_address)) + if (!IsAddressInBounds(src_address, length)) { PanicAlertFmtT("MemoryCard: Read called with invalid source address ({0:#x})", src_address); return -1; @@ -181,7 +181,7 @@ s32 MemoryCard::Read(u32 src_address, s32 length, u8* dest_address) s32 MemoryCard::Write(u32 dest_address, s32 length, const u8* src_address) { - if (!IsAddressInBounds(dest_address)) + if (!IsAddressInBounds(dest_address, length)) { PanicAlertFmtT("MemoryCard: Write called with invalid destination address ({0:#x})", dest_address); @@ -198,7 +198,7 @@ s32 MemoryCard::Write(u32 dest_address, s32 length, const u8* src_address) void MemoryCard::ClearBlock(u32 address) { - if (address & (Memcard::BLOCK_SIZE - 1) || !IsAddressInBounds(address)) + if (address & (Memcard::BLOCK_SIZE - 1) || !IsAddressInBounds(address, Memcard::BLOCK_SIZE)) { PanicAlertFmtT("MemoryCard: ClearBlock called on invalid address ({0:#x})", address); return; diff --git a/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h b/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h index c6c85313e8..067f795401 100644 --- a/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h +++ b/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h @@ -30,7 +30,7 @@ public: void DoState(PointerWrap& p) override; private: - bool IsAddressInBounds(u32 address) const { return address <= (m_memory_card_size - 1); } + bool IsAddressInBounds(u32 address, u32 length) const { return address + length <= (m_memory_card_size - 1); } std::string m_filename; std::unique_ptr m_memcard_data; From b506bdc4018095dc4bc612a5b12837b3dfeb2d76 Mon Sep 17 00:00:00 2001 From: Nicola Vella Date: Sun, 8 Oct 2023 11:37:43 +0200 Subject: [PATCH 2/2] Fix heap buffer overflow in GCMemcardRaw --- Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h b/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h index 067f795401..3138899667 100644 --- a/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h +++ b/Source/Core/Core/HW/GCMemcard/GCMemcardRaw.h @@ -30,7 +30,11 @@ public: void DoState(PointerWrap& p) override; private: - bool IsAddressInBounds(u32 address, u32 length) const { return address + length <= (m_memory_card_size - 1); } + bool IsAddressInBounds(u32 address, u32 length) const + { + u64 end_address = static_cast(address) + static_cast(length); + return end_address <= static_cast(m_memory_card_size); + } std::string m_filename; std::unique_ptr m_memcard_data;