To ensure memory safety, callers of GetPointer have to perform a bounds
check. But how is this bounds check supposed to be performed?
GetPointerForRange contained one implementation of a bounds check, but
it was cumbersome, and it also isn't obvious why it's correct.
To make doing the right thing easier, this commit changes GetPointer to
return a span that tells the caller how many bytes it's allowed to
access.
This fourth part of my series of patches to get rid of unsafe uses of
GetPointer takes care of the "easy" cases in VideoCommon. Three uses of
GetPointer now remain in Dolphin: VertexLoaderManager, TextureInfo, and
the software renderer's TextureSampler.
On all platforms, this would result in out of bounds accesses when getting the component sizes (which uses stuff from VertexLoader_Position.h/VertexLoader_TextCoord.h/VertexLoader_Normal.h). On platforms other than x64 and ARM64, this would also be out of bounds accesses when getting function pointers for the non-JIT vertex loader (in VertexLoader_Position.cpp etc.). Usually both of these would get data from other entries in the same multi-dimensional array, but the last few entries would be truly out of bounds. This does mean that an out of bounds function pointer can be called on platforms that don't have a JIT vertex loader, but it is limited to invalid component formats with values 5/6/7 due to the size of the bitfield the formats come from, so it seems unlikely that this could be exploited in practice.
This issue affects a few games; Def Jam: Fight for New York (https://bugs.dolphin-emu.org/issues/12719) and Fifa Street are known to be affected.
I have not done any hardware testing for this PR specifically, though I *think* I previously determined that at least a value of 5 behaves the same as float (4). That's what I implemented in any case. I did previously determine that both Def Jam: Fight for New York and Fifa Street use an invalid normal format, but don't actually have lighting enabled when that normal vector is used, so it doesn't change rendering in practice.
The color component format also has two invalid values, but VertexLoader_Color.h/.cpp do check for those invalid ones and return a default value instead of doing an out of bounds access.
This takes care of making the image clearer in some edge cases where the game was already running at near perfect
4:3 with no stretching, and the VI aspect ratio didn't match the XFB by one pixel, making the image stretched and blurry.
-Video: Fix `FindClosestIntegerResolution() using the window aspect ratio and not the draw aspect ratio, causing it to prefer
stretching over black bars in cases when it wasn't desirable.
Instead, we make the event take a reference to the system and then pass
it in when the event is triggered.
This does introduce two other accessors, but these are much easier to
refactor out over time, and without modification to the existing event
interface.
Makes the hash specialization a little less noisy. Also we mark it
noexcept, since hashes shouldn't be throwing exceptions (and this can be
optimized on).
Allows using keys that aren't directly std::string as the key. This lets
us use std::string_view for the incoming path name, making it more
flexible with other string types.
sowens99