commit 36a70ed60572496a6c1672de11562a34a3e75380
parent 33d6ef8cd28c73b4f6238934979d130a5523b9c9
Author: Devine Lu Linvega <aliceffekt@gmail.com>
Date: Thu, 2 Feb 2023 10:20:19 -0800
Protect system_cmd from reading out of bounds
Diffstat:
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/src/devices/system.c b/src/devices/system.c
@@ -32,27 +32,26 @@ system_print(Stack *s, char *name)
fprintf(stderr, "\n");
}
-void
-system_inspect(Uxn *u)
+static void
+system_cmd(Uint8 *ram, Uint16 addr)
{
- system_print(u->wst, "wst");
- system_print(u->rst, "rst");
+ if(ram[addr] == 0x01) {
+ int src, dst;
+ Uint16 i, args[5]; /* length, a_page, a_addr, b_page, b_addr */
+ for(i = 0; i < 5; i++)
+ args[i] = PEEK16(ram + addr + 1 + i * 2);
+ src = (args[1] % RAM_PAGES) * 0x10000;
+ dst = (args[3] % RAM_PAGES) * 0x10000;
+ for(i = 0; i < args[0]; i++)
+ ram[dst + (Uint16)(args[4] + i)] = ram[src + (Uint16)(args[2] + i)];
+ }
}
-/* RAM */
-
void
-system_cmd(Uint8 *ram, Uint16 addr)
+system_inspect(Uxn *u)
{
- Uint16 a = addr, i = 0;
- Uint8 o = ram[a++];
- if(o == 1) {
- Uint16 length = (ram[a++] << 8) + ram[a++];
- Uint16 src_page = ((ram[a++] << 8) + ram[a++]) % 16, src_addr = (ram[a++] << 8) + ram[a++];
- Uint16 dst_page = ((ram[a++] << 8) + ram[a++]) % 16, dst_addr = (ram[a++] << 8) + ram[a];
- for(i = 0; i < length; i++)
- ram[dst_page * 0x10000 + dst_addr + i] = ram[src_page * 0x10000 + src_addr + i];
- }
+ system_print(u->wst, "wst");
+ system_print(u->rst, "rst");
}
int
diff --git a/src/devices/system.h b/src/devices/system.h
@@ -10,6 +10,7 @@ WITH REGARD TO THIS SOFTWARE.
*/
#define RAM_PAGES 0x10
+#define PEEK16(d) ((d)[0] << 8 | (d)[1])
int system_load(Uxn *u, char *filename);
void system_deo(Uxn *u, Uint8 *d, Uint8 port);
