Fix integer overflow in cheatsImportGSACodeFile length check.

Although a length check is being performed on the imported GSA Codes file, `len` is both a signed int and attacker controlled.

With a specially crafted GSA Codes file, an attacker could specify a value for `len` that overflows the `int` type, rolling over into a negative number. By doing so, the attacker can bypass the conditional mentioned above.

The `fseek` length parameter is of type `size_t` which is an unsigned int, this will result in `len` being interpreted as a large unsigned int, allowing for a stack based buffed overflow in the desc char array.

By making `len` an unsigned integer, it will prevent the overflow. It ensures that the bounds check works as intended.
This commit is contained in:
Zack 2020-01-17 14:39:58 -05:00 committed by Edênis Freindorfer Azevedo
parent 77c299c13f
commit 6a8a9e6244
1 changed files with 1 additions and 1 deletions

View File

@ -2047,7 +2047,7 @@ bool cheatsImportGSACodeFile(const char* name, int game, bool v3)
return false;
}
int len = 0;
uint32_t len = 0;
bool found = false;
int g = 0;
while (games > 0) {