commit 055fa9bcd0118a62f66e2f87146de13bed7cc68c
parent 3ee8a2394b43fefca5f24f7acf55cb5b32a83189
Author: Andrew Alderwick <andrew@alderwick.co.uk>
Date: Sun, 23 Jan 2022 23:09:25 +0000
Close some security holes.
Diffstat:
3 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/src/devices/file.c b/src/devices/file.c
@@ -150,6 +150,8 @@ file_deo(Device *d, Uint8 port)
case 0x5:
DEVPEEK16(a, 0x4);
DEVPEEK16(b, 0xa);
+ if(b > 0x10000 - a)
+ b = 0x10000 - a;
res = file_stat(&d->u->ram[a], b);
DEVPOKE16(0x2, res);
break;
@@ -165,12 +167,16 @@ file_deo(Device *d, Uint8 port)
case 0xd:
DEVPEEK16(a, 0xc);
DEVPEEK16(b, 0xa);
+ if(b > 0x10000 - a)
+ b = 0x10000 - a;
res = file_read(&d->u->ram[a], b);
DEVPOKE16(0x2, res);
break;
case 0xf:
DEVPEEK16(a, 0xe);
DEVPEEK16(b, 0xa);
+ if(b > 0x10000 - a)
+ b = 0x10000 - a;
res = file_write(&d->u->ram[a], b, d->dat[0x7]);
DEVPOKE16(0x2, res);
break;
diff --git a/src/devices/screen.c b/src/devices/screen.c
@@ -163,6 +163,8 @@ screen_deo(Device *d, Uint8 port)
DEVPEEK16(x, 0x8);
DEVPEEK16(y, 0xa);
DEVPEEK16(addr, 0xc);
+ if(addr > 0xfff8 - twobpp * 8)
+ return;
screen_blit(&uxn_screen, layer, x, y, &d->u->ram[addr], d->dat[0xf] & 0xf, d->dat[0xf] & 0x10, d->dat[0xf] & 0x20, twobpp);
if(d->dat[0x6] & 0x04) DEVPOKE16(0xc, addr + 8 + twobpp * 8); /* auto addr+length */
if(d->dat[0x6] & 0x01) DEVPOKE16(0x8, x + 8); /* auto x+8 */
diff --git a/src/uxnemu.c b/src/uxnemu.c
@@ -205,6 +205,8 @@ audio_deo(Device *d, Uint8 port)
DEVPEEK16(adsr, 0x8);
DEVPEEK16(c->len, 0xa);
DEVPEEK16(addr, 0xc);
+ if(c->len > 0x10000 - addr)
+ c->len = 0x10000 - addr;
c->addr = &d->u->ram[addr];
c->volume[0] = d->dat[0xe] >> 4;
c->volume[1] = d->dat[0xe] & 0xf;
