Merge pull request #5035 from lioncash/out-of-bounds

GCAdapter_Android: Fix an array bounds overrun in Read()
This commit is contained in:
Markus Wick 2017-03-08 10:01:34 +01:00 committed by GitHub
commit ac914e939b
1 changed files with 6 additions and 6 deletions

View File

@ -3,6 +3,7 @@
// Refer to the license.txt file included. // Refer to the license.txt file included.
#include <algorithm> #include <algorithm>
#include <array>
#include <jni.h> #include <jni.h>
#include <mutex> #include <mutex>
@ -39,7 +40,7 @@ static u8 s_controller_rumble[4];
// Input handling // Input handling
static std::mutex s_read_mutex; static std::mutex s_read_mutex;
static u8 s_controller_payload[37]; static std::array<u8, 37> s_controller_payload;
static std::atomic<int> s_controller_payload_size{0}; static std::atomic<int> s_controller_payload_size{0};
// Output handling // Output handling
@ -158,7 +159,7 @@ static void Read()
jbyte* java_data = env->GetByteArrayElements(*java_controller_payload, nullptr); jbyte* java_data = env->GetByteArrayElements(*java_controller_payload, nullptr);
{ {
std::lock_guard<std::mutex> lk(s_read_mutex); std::lock_guard<std::mutex> lk(s_read_mutex);
memcpy(s_controller_payload, java_data, 0x37); std::copy(java_data, java_data + s_controller_payload.size(), s_controller_payload.begin());
s_controller_payload_size.store(read_size); s_controller_payload_size.store(read_size);
} }
env->ReleaseByteArrayElements(*java_controller_payload, java_data, 0); env->ReleaseByteArrayElements(*java_controller_payload, java_data, 0);
@ -268,17 +269,16 @@ GCPadStatus Input(int chan)
return {}; return {};
int payload_size = 0; int payload_size = 0;
u8 controller_payload_copy[37]; std::array<u8, 37> controller_payload_copy;
{ {
std::lock_guard<std::mutex> lk(s_read_mutex); std::lock_guard<std::mutex> lk(s_read_mutex);
std::copy(std::begin(s_controller_payload), std::end(s_controller_payload), controller_payload_copy = s_controller_payload;
std::begin(controller_payload_copy));
payload_size = s_controller_payload_size.load(); payload_size = s_controller_payload_size.load();
} }
GCPadStatus pad = {}; GCPadStatus pad = {};
if (payload_size != sizeof(controller_payload_copy)) if (payload_size != controller_payload_copy.size())
{ {
ERROR_LOG(SERIALINTERFACE, "error reading payload (size: %d, type: %02x)", payload_size, ERROR_LOG(SERIALINTERFACE, "error reading payload (size: %d, type: %02x)", payload_size,
controller_payload_copy[0]); controller_payload_copy[0]);