ShuriZma
/
visualboyadvance-m
mirror of https://github.com/visualboyadvance-m/visualboyadvance-m.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix integer overflow in cheatsImportGSACodeFile length check. 

Although a length check is being performed on the imported GSA Codes file, `len` is both a signed int and attacker controlled.

With a specially crafted GSA Codes file, an attacker could specify a value for `len` that overflows the `int` type, rolling over into a negative number. By doing so, the attacker can bypass the conditional mentioned above.

The `fseek` length parameter is of type `size_t` which is an unsigned int, this will result in `len` being interpreted as a large unsigned int, allowing for a stack based buffed overflow in the desc char array.

By making `len` an unsigned integer, it will prevent the overflow. It ensures that the bounds check works as intended.
This commit is contained in:
Zack 2020-01-17 14:39:58 -05:00 committed by Edênis Freindorfer Azevedo
parent 77c299c13f
commit 6a8a9e6244
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/gba/Cheats.cpp
View File

@ -2047,7 +2047,7 @@ bool cheatsImportGSACodeFile(const char* name, int game, bool v3)
return false; return false;
} }
int len = 0; uint32_t len = 0;
bool found = false; bool found = false;
int g = 0; int g = 0;
while (games > 0) { while (games > 0) {