Emulation/cen64
1
0
Fork 0
mirror of https://github.com/n64dev/cen64.git synced 2024-06-22 14:02:41 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix buffer overflow vulnerability in pif_process

Browse source 
https://github.com/n64dev/cen64/issues/122
This commit is contained in:
Christopher Bonhage 2021-07-22 17:46:29 -04:00 committed by Simon Eriksson
parent 6362964386
commit 202d2359c1
1 changed files with 10 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
si/controller.c
View file

@ -236,7 +236,7 @@ int pif_perform_command(struct si_controller *si,
// Emulates the PIF operation.
void pif_process(struct si_controller *si) {
unsigned channel = 0;
int ptr = 0;
unsigned ptr = 0;
if (si->command[0x3F] != 0x1)
return;
@ -255,16 +255,23 @@ void pif_process(struct si_controller *si) {
int8_t recv_bytes = si->command[ptr++];
uint8_t recv_buf[0x40];
uint8_t send_buf[0x40];
int result;
if (recv_bytes == -2)
break;
// SECURITY: Ensure memcpy cannot buffer overflow
// if send_bytes or recv_bytes exceed si->command.
if (
(ptr + send_bytes) > sizeof(si->command) ||
(ptr + send_bytes + recv_bytes) > sizeof(si->command)
)
break;
memcpy(send_buf, si->command + ptr, send_bytes);
ptr += send_bytes;
memcpy(recv_buf, si->command + ptr, recv_bytes);
result = pif_perform_command(si, channel,
int result = pif_perform_command(si, channel,
send_buf, send_bytes, recv_buf, recv_bytes);
if (result == 0) {