Browse code
Close some security holes.
Andrew Alderwick authored on 23/01/2022 23:09:25
Showing 3 changed files
| ... | ... |
@@ -150,6 +150,8 @@ file_deo(Device *d, Uint8 port) |
| 150 | 150 |
case 0x5: |
| 151 | 151 |
DEVPEEK16(a, 0x4); |
| 152 | 152 |
DEVPEEK16(b, 0xa); |
| 153 |
+ if(b > 0x10000 - a) |
|
| 154 |
+ b = 0x10000 - a; |
|
| 153 | 155 |
res = file_stat(&d->u->ram[a], b); |
| 154 | 156 |
DEVPOKE16(0x2, res); |
| 155 | 157 |
break; |
| ... | ... |
@@ -165,12 +167,16 @@ file_deo(Device *d, Uint8 port) |
| 165 | 167 |
case 0xd: |
| 166 | 168 |
DEVPEEK16(a, 0xc); |
| 167 | 169 |
DEVPEEK16(b, 0xa); |
| 170 |
+ if(b > 0x10000 - a) |
|
| 171 |
+ b = 0x10000 - a; |
|
| 168 | 172 |
res = file_read(&d->u->ram[a], b); |
| 169 | 173 |
DEVPOKE16(0x2, res); |
| 170 | 174 |
break; |
| 171 | 175 |
case 0xf: |
| 172 | 176 |
DEVPEEK16(a, 0xe); |
| 173 | 177 |
DEVPEEK16(b, 0xa); |
| 178 |
+ if(b > 0x10000 - a) |
|
| 179 |
+ b = 0x10000 - a; |
|
| 174 | 180 |
res = file_write(&d->u->ram[a], b, d->dat[0x7]); |
| 175 | 181 |
DEVPOKE16(0x2, res); |
| 176 | 182 |
break; |
| ... | ... |
@@ -163,6 +163,8 @@ screen_deo(Device *d, Uint8 port) |
| 163 | 163 |
DEVPEEK16(x, 0x8); |
| 164 | 164 |
DEVPEEK16(y, 0xa); |
| 165 | 165 |
DEVPEEK16(addr, 0xc); |
| 166 |
+ if(addr > 0xfff8 - twobpp * 8) |
|
| 167 |
+ return; |
|
| 166 | 168 |
screen_blit(&uxn_screen, layer, x, y, &d->u->ram[addr], d->dat[0xf] & 0xf, d->dat[0xf] & 0x10, d->dat[0xf] & 0x20, twobpp); |
| 167 | 169 |
if(d->dat[0x6] & 0x04) DEVPOKE16(0xc, addr + 8 + twobpp * 8); /* auto addr+length */ |
| 168 | 170 |
if(d->dat[0x6] & 0x01) DEVPOKE16(0x8, x + 8); /* auto x+8 */ |
| ... | ... |
@@ -205,6 +205,8 @@ audio_deo(Device *d, Uint8 port) |
| 205 | 205 |
DEVPEEK16(adsr, 0x8); |
| 206 | 206 |
DEVPEEK16(c->len, 0xa); |
| 207 | 207 |
DEVPEEK16(addr, 0xc); |
| 208 |
+ if(c->len > 0x10000 - addr) |
|
| 209 |
+ c->len = 0x10000 - addr; |
|
| 208 | 210 |
c->addr = &d->u->ram[addr]; |
| 209 | 211 |
c->volume[0] = d->dat[0xe] >> 4; |
| 210 | 212 |
c->volume[1] = d->dat[0xe] & 0xf; |