Fix integer overflow in cheatsImportGSACodeFile length check.
Although a length check is being performed on the imported GSA Codes file, `len` is both a signed int and attacker controlled. With a specially crafted GSA Codes file, an attacker could specify a value for `len` that overflows the `int` type, rolling over into a negative number. By doing so, the attacker can bypass the conditional mentioned above. The `fseek` length parameter is of type `size_t` which is an unsigned int, this will result in `len` being interpreted as a large unsigned int, allowing for a stack based buffed overflow in the desc char array. By making `len` an unsigned integer, it will prevent the overflow. It ensures that the bounds check works as intended.
This commit is contained in:
parent
77c299c13f
commit
6a8a9e6244
|
@ -2047,7 +2047,7 @@ bool cheatsImportGSACodeFile(const char* name, int game, bool v3)
|
|||
return false;
|
||||
}
|
||||
|
||||
int len = 0;
|
||||
uint32_t len = 0;
|
||||
bool found = false;
|
||||
int g = 0;
|
||||
while (games > 0) {
|
||||
|
|
Loading…
Reference in New Issue