From 36a70ed60572496a6c1672de11562a34a3e75380 Mon Sep 17 00:00:00 2001 From: Devine Lu Linvega Date: Thu, 2 Feb 2023 10:20:19 -0800 Subject: [PATCH] Protect system_cmd from reading out of bounds --- src/devices/system.c | 31 +++++++++++++++---------------- src/devices/system.h | 1 + 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/src/devices/system.c b/src/devices/system.c index 78050b0..f0744eb 100644 --- a/src/devices/system.c +++ b/src/devices/system.c @@ -32,6 +32,21 @@ system_print(Stack *s, char *name) fprintf(stderr, "\n"); } +static void +system_cmd(Uint8 *ram, Uint16 addr) +{ + if(ram[addr] == 0x01) { + int src, dst; + Uint16 i, args[5]; /* length, a_page, a_addr, b_page, b_addr */ + for(i = 0; i < 5; i++) + args[i] = PEEK16(ram + addr + 1 + i * 2); + src = (args[1] % RAM_PAGES) * 0x10000; + dst = (args[3] % RAM_PAGES) * 0x10000; + for(i = 0; i < args[0]; i++) + ram[dst + (Uint16)(args[4] + i)] = ram[src + (Uint16)(args[2] + i)]; + } +} + void system_inspect(Uxn *u) { @@ -39,22 +54,6 @@ system_inspect(Uxn *u) system_print(u->rst, "rst"); } -/* RAM */ - -void -system_cmd(Uint8 *ram, Uint16 addr) -{ - Uint16 a = addr, i = 0; - Uint8 o = ram[a++]; - if(o == 1) { - Uint16 length = (ram[a++] << 8) + ram[a++]; - Uint16 src_page = ((ram[a++] << 8) + ram[a++]) % 16, src_addr = (ram[a++] << 8) + ram[a++]; - Uint16 dst_page = ((ram[a++] << 8) + ram[a++]) % 16, dst_addr = (ram[a++] << 8) + ram[a]; - for(i = 0; i < length; i++) - ram[dst_page * 0x10000 + dst_addr + i] = ram[src_page * 0x10000 + src_addr + i]; - } -} - int system_load(Uxn *u, char *filename) { diff --git a/src/devices/system.h b/src/devices/system.h index 87923e0..6fc31e1 100644 --- a/src/devices/system.h +++ b/src/devices/system.h @@ -10,6 +10,7 @@ WITH REGARD TO THIS SOFTWARE. */ #define RAM_PAGES 0x10 +#define PEEK16(d) ((d)[0] << 8 | (d)[1]) int system_load(Uxn *u, char *filename); void system_deo(Uxn *u, Uint8 *d, Uint8 port);