gpulib: fix out-of-bounds reads in do_cmd_buffer()

When gpu.cmd_buffer[] is filling up, and the last 1 or 2 words
in it are the beginning of a new vram read/write cmd, do_cmd_buffer()
would access out-of-bounds, reading garbage pos/size data.

Fixes corrupted gfx in this PS1 .exe test utility:
https://github.com/PeterLemon/PSX/tree/master/CPUTest/CPU/LOADSTORE/LW
(This and all similar tests on Peter's site).
Note that gfx access in this utility is done entirely through cmds given
through GPUwriteData(), i.e. direct CPU->GP0 stores, not DMA.

diff --git a/plugins/gpulib/gpu.c b/plugins/gpulib/gpu.c
index 125bd89..d67df03 100644 (file)
--- a/plugins/gpulib/gpu.c
+++ b/plugins/gpulib/gpu.c
@@ -457,6 +457,12 @@ static noinline int do_cmd_buffer(uint32_t *data, int count)
 
     cmd = data[pos] >> 24;
     if (0xa0 <= cmd && cmd <= 0xdf) {
+      if (unlikely((pos+2) >= count)) {
+        // incomplete vram write/read cmd, can't consume yet
+        cmd = -1;
+        break;
+      }
+
       // consume vram write/read cmd
       start_vram_transfer(data[pos + 1], data[pos + 2], (cmd & 0xe0) == 0xc0);
       pos += 3;