Merge pull request #7765 from AdmiralCurtiss/fzero-save-file-out-of-bounds

GCMemcard: Fix out of bounds access in F-Zero GX checksum calculation.
This commit is contained in:
JMC47 2019-03-11 12:40:03 -04:00 committed by GitHub
commit 9e4ab87a34
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 4 deletions

View File

@ -1277,12 +1277,15 @@ s32 GCMemcard::FZEROGX_MakeSaveGameValid(const Header& cardheader, const DEntry&
u32 i, j; u32 i, j;
u32 serial1, serial2; u32 serial1, serial2;
u16 chksum = 0xFFFF; u16 chksum = 0xFFFF;
int block = 0;
// check for F-Zero GX system file // check for F-Zero GX system file
if (strcmp(reinterpret_cast<const char*>(direntry.m_filename.data()), "f_zero.dat") != 0) if (strcmp(reinterpret_cast<const char*>(direntry.m_filename.data()), "f_zero.dat") != 0)
return 0; return 0;
// also make sure that the filesize is correct
if (FileBuffer.size() != 4)
return 0;
// get encrypted destination memory card serial numbers // get encrypted destination memory card serial numbers
cardheader.CARD_GetSerialNo(&serial1, &serial2); cardheader.CARD_GetSerialNo(&serial1, &serial2);
@ -1295,7 +1298,9 @@ s32 GCMemcard::FZEROGX_MakeSaveGameValid(const Header& cardheader, const DEntry&
// calc 16-bit checksum // calc 16-bit checksum
for (i = 0x02; i < 0x8000; i++) for (i = 0x02; i < 0x8000; i++)
{ {
chksum ^= (FileBuffer[block].m_block[i - (block * 0x2000)] & 0xFF); const int block = i / 0x2000;
const int offset = i % 0x2000;
chksum ^= (FileBuffer[block].m_block[offset] & 0xFF);
for (j = 8; j > 0; j--) for (j = 8; j > 0; j--)
{ {
if (chksum & 1) if (chksum & 1)
@ -1303,8 +1308,6 @@ s32 GCMemcard::FZEROGX_MakeSaveGameValid(const Header& cardheader, const DEntry&
else else
chksum >>= 1; chksum >>= 1;
} }
if (!(i % 0x2000))
block++;
} }
// set new checksum // set new checksum