Close some security holes.

This commit is contained in:
Andrew Alderwick 2022-01-23 23:09:25 +00:00
parent 3ee8a2394b
commit 055fa9bcd0
3 changed files with 10 additions and 0 deletions

View File

@ -150,6 +150,8 @@ file_deo(Device *d, Uint8 port)
case 0x5:
DEVPEEK16(a, 0x4);
DEVPEEK16(b, 0xa);
if(b > 0x10000 - a)
b = 0x10000 - a;
res = file_stat(&d->u->ram[a], b);
DEVPOKE16(0x2, res);
break;
@ -165,12 +167,16 @@ file_deo(Device *d, Uint8 port)
case 0xd:
DEVPEEK16(a, 0xc);
DEVPEEK16(b, 0xa);
if(b > 0x10000 - a)
b = 0x10000 - a;
res = file_read(&d->u->ram[a], b);
DEVPOKE16(0x2, res);
break;
case 0xf:
DEVPEEK16(a, 0xe);
DEVPEEK16(b, 0xa);
if(b > 0x10000 - a)
b = 0x10000 - a;
res = file_write(&d->u->ram[a], b, d->dat[0x7]);
DEVPOKE16(0x2, res);
break;

View File

@ -163,6 +163,8 @@ screen_deo(Device *d, Uint8 port)
DEVPEEK16(x, 0x8);
DEVPEEK16(y, 0xa);
DEVPEEK16(addr, 0xc);
if(addr > 0xfff8 - twobpp * 8)
return;
screen_blit(&uxn_screen, layer, x, y, &d->u->ram[addr], d->dat[0xf] & 0xf, d->dat[0xf] & 0x10, d->dat[0xf] & 0x20, twobpp);
if(d->dat[0x6] & 0x04) DEVPOKE16(0xc, addr + 8 + twobpp * 8); /* auto addr+length */
if(d->dat[0x6] & 0x01) DEVPOKE16(0x8, x + 8); /* auto x+8 */

View File

@ -205,6 +205,8 @@ audio_deo(Device *d, Uint8 port)
DEVPEEK16(adsr, 0x8);
DEVPEEK16(c->len, 0xa);
DEVPEEK16(addr, 0xc);
if(c->len > 0x10000 - addr)
c->len = 0x10000 - addr;
c->addr = &d->u->ram[addr];
c->volume[0] = d->dat[0xe] >> 4;
c->volume[1] = d->dat[0xe] & 0xf;