Merge pull request #12221 from nick0ve/fix-gc-memcard-heap-overflow
Fix heap buffer overflow in GCMemcardRaw
This commit is contained in:
commit
968a981958
|
@ -169,7 +169,7 @@ void MemoryCard::MakeDirty()
|
||||||
|
|
||||||
s32 MemoryCard::Read(u32 src_address, s32 length, u8* dest_address)
|
s32 MemoryCard::Read(u32 src_address, s32 length, u8* dest_address)
|
||||||
{
|
{
|
||||||
if (!IsAddressInBounds(src_address))
|
if (!IsAddressInBounds(src_address, length))
|
||||||
{
|
{
|
||||||
PanicAlertFmtT("MemoryCard: Read called with invalid source address ({0:#x})", src_address);
|
PanicAlertFmtT("MemoryCard: Read called with invalid source address ({0:#x})", src_address);
|
||||||
return -1;
|
return -1;
|
||||||
|
@ -181,7 +181,7 @@ s32 MemoryCard::Read(u32 src_address, s32 length, u8* dest_address)
|
||||||
|
|
||||||
s32 MemoryCard::Write(u32 dest_address, s32 length, const u8* src_address)
|
s32 MemoryCard::Write(u32 dest_address, s32 length, const u8* src_address)
|
||||||
{
|
{
|
||||||
if (!IsAddressInBounds(dest_address))
|
if (!IsAddressInBounds(dest_address, length))
|
||||||
{
|
{
|
||||||
PanicAlertFmtT("MemoryCard: Write called with invalid destination address ({0:#x})",
|
PanicAlertFmtT("MemoryCard: Write called with invalid destination address ({0:#x})",
|
||||||
dest_address);
|
dest_address);
|
||||||
|
@ -198,7 +198,7 @@ s32 MemoryCard::Write(u32 dest_address, s32 length, const u8* src_address)
|
||||||
|
|
||||||
void MemoryCard::ClearBlock(u32 address)
|
void MemoryCard::ClearBlock(u32 address)
|
||||||
{
|
{
|
||||||
if (address & (Memcard::BLOCK_SIZE - 1) || !IsAddressInBounds(address))
|
if (address & (Memcard::BLOCK_SIZE - 1) || !IsAddressInBounds(address, Memcard::BLOCK_SIZE))
|
||||||
{
|
{
|
||||||
PanicAlertFmtT("MemoryCard: ClearBlock called on invalid address ({0:#x})", address);
|
PanicAlertFmtT("MemoryCard: ClearBlock called on invalid address ({0:#x})", address);
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -30,7 +30,11 @@ public:
|
||||||
void DoState(PointerWrap& p) override;
|
void DoState(PointerWrap& p) override;
|
||||||
|
|
||||||
private:
|
private:
|
||||||
bool IsAddressInBounds(u32 address) const { return address <= (m_memory_card_size - 1); }
|
bool IsAddressInBounds(u32 address, u32 length) const
|
||||||
|
{
|
||||||
|
u64 end_address = static_cast<u64>(address) + static_cast<u64>(length);
|
||||||
|
return end_address <= static_cast<u64>(m_memory_card_size);
|
||||||
|
}
|
||||||
|
|
||||||
std::string m_filename;
|
std::string m_filename;
|
||||||
std::unique_ptr<u8[]> m_memcard_data;
|
std::unique_ptr<u8[]> m_memcard_data;
|
||||||
|
|
Loading…
Reference in New Issue