Merge pull request #12221 from nick0ve/fix-gc-memcard-heap-overflow

Fix heap buffer overflow in GCMemcardRaw
This commit is contained in:
Admiral H. Curtiss 2023-10-08 15:20:43 +02:00 committed by GitHub
commit 968a981958
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 4 deletions

View File

@ -169,7 +169,7 @@ void MemoryCard::MakeDirty()
s32 MemoryCard::Read(u32 src_address, s32 length, u8* dest_address) s32 MemoryCard::Read(u32 src_address, s32 length, u8* dest_address)
{ {
if (!IsAddressInBounds(src_address)) if (!IsAddressInBounds(src_address, length))
{ {
PanicAlertFmtT("MemoryCard: Read called with invalid source address ({0:#x})", src_address); PanicAlertFmtT("MemoryCard: Read called with invalid source address ({0:#x})", src_address);
return -1; return -1;
@ -181,7 +181,7 @@ s32 MemoryCard::Read(u32 src_address, s32 length, u8* dest_address)
s32 MemoryCard::Write(u32 dest_address, s32 length, const u8* src_address) s32 MemoryCard::Write(u32 dest_address, s32 length, const u8* src_address)
{ {
if (!IsAddressInBounds(dest_address)) if (!IsAddressInBounds(dest_address, length))
{ {
PanicAlertFmtT("MemoryCard: Write called with invalid destination address ({0:#x})", PanicAlertFmtT("MemoryCard: Write called with invalid destination address ({0:#x})",
dest_address); dest_address);
@ -198,7 +198,7 @@ s32 MemoryCard::Write(u32 dest_address, s32 length, const u8* src_address)
void MemoryCard::ClearBlock(u32 address) void MemoryCard::ClearBlock(u32 address)
{ {
if (address & (Memcard::BLOCK_SIZE - 1) || !IsAddressInBounds(address)) if (address & (Memcard::BLOCK_SIZE - 1) || !IsAddressInBounds(address, Memcard::BLOCK_SIZE))
{ {
PanicAlertFmtT("MemoryCard: ClearBlock called on invalid address ({0:#x})", address); PanicAlertFmtT("MemoryCard: ClearBlock called on invalid address ({0:#x})", address);
return; return;

View File

@ -30,7 +30,11 @@ public:
void DoState(PointerWrap& p) override; void DoState(PointerWrap& p) override;
private: private:
bool IsAddressInBounds(u32 address) const { return address <= (m_memory_card_size - 1); } bool IsAddressInBounds(u32 address, u32 length) const
{
u64 end_address = static_cast<u64>(address) + static_cast<u64>(length);
return end_address <= static_cast<u64>(m_memory_card_size);
}
std::string m_filename; std::string m_filename;
std::unique_ptr<u8[]> m_memcard_data; std::unique_ptr<u8[]> m_memcard_data;