From 6a8a9e62443e6813a06bcab97f3bbef51ca089f2 Mon Sep 17 00:00:00 2001 From: Zack Date: Fri, 17 Jan 2020 14:39:58 -0500 Subject: [PATCH] Fix integer overflow in cheatsImportGSACodeFile length check. Although a length check is being performed on the imported GSA Codes file, `len` is both a signed int and attacker controlled. With a specially crafted GSA Codes file, an attacker could specify a value for `len` that overflows the `int` type, rolling over into a negative number. By doing so, the attacker can bypass the conditional mentioned above. The `fseek` length parameter is of type `size_t` which is an unsigned int, this will result in `len` being interpreted as a large unsigned int, allowing for a stack based buffed overflow in the desc char array. By making `len` an unsigned integer, it will prevent the overflow. It ensures that the bounds check works as intended. --- src/gba/Cheats.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gba/Cheats.cpp b/src/gba/Cheats.cpp index 0c59678c..b32c87c6 100644 --- a/src/gba/Cheats.cpp +++ b/src/gba/Cheats.cpp @@ -2047,7 +2047,7 @@ bool cheatsImportGSACodeFile(const char* name, int game, bool v3) return false; } - int len = 0; + uint32_t len = 0; bool found = false; int g = 0; while (games > 0) {