From af77e5ab62a920000b8e33544ba2f2efa0cb42e9 Mon Sep 17 00:00:00 2001 From: Vicki Pfau Date: Wed, 1 Feb 2017 13:21:26 -0800 Subject: [PATCH] Util: Fix overflow when loading invalid UPS patches --- CHANGES | 1 + src/util/patch-ups.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 50aeba077..d1bb8c2d0 100644 --- a/CHANGES +++ b/CHANGES @@ -21,6 +21,7 @@ Bugfixes: - GB MBC: Fix ROM bank overflows getting set to bank 0 - Qt: Fix timing issues on high refresh rate monitors - GBA Savedata: Fix savedata unmasking (fixes mgba.io/i/441) + - Util: Fix overflow when loading invalid UPS patches Misc: - SDL: Remove scancode key input - GBA Video: Clean up unused timers diff --git a/src/util/patch-ups.c b/src/util/patch-ups.c index d58ee2216..5f24311ef 100644 --- a/src/util/patch-ups.c +++ b/src/util/patch-ups.c @@ -87,6 +87,9 @@ bool _UPSApplyPatch(struct Patch* patch, const void* in, size_t inSize, void* ou if (patch->vf->read(patch->vf, &byte, 1) != 1) { return false; } + if (offset >= outSize) { + return false; + } buf[offset] ^= byte; ++offset; if (!byte) {