From: Daniel Silsby Date: Sat, 9 Nov 2019 01:30:04 +0000 (-0500) Subject: gpulib: fix out-of-bounds reads in do_cmd_buffer() X-Git-Tag: r23~154^2 X-Git-Url: https://notaz.gp2x.de/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7194a46a0eb7583f7af0b5807e6ffde006733111;p=pcsx_rearmed.git gpulib: fix out-of-bounds reads in do_cmd_buffer() When gpu.cmd_buffer[] is filling up, and the last 1 or 2 words in it are the beginning of a new vram read/write cmd, do_cmd_buffer() would access out-of-bounds, reading garbage pos/size data. Fixes corrupted gfx in this PS1 .exe test utility: https://github.com/PeterLemon/PSX/tree/master/CPUTest/CPU/LOADSTORE/LW (This and all similar tests on Peter's site). Note that gfx access in this utility is done entirely through cmds given through GPUwriteData(), i.e. direct CPU->GP0 stores, not DMA. --- diff --git a/plugins/gpulib/gpu.c b/plugins/gpulib/gpu.c index 125bd89b..d67df03c 100644 --- a/plugins/gpulib/gpu.c +++ b/plugins/gpulib/gpu.c @@ -457,6 +457,12 @@ static noinline int do_cmd_buffer(uint32_t *data, int count) cmd = data[pos] >> 24; if (0xa0 <= cmd && cmd <= 0xdf) { + if (unlikely((pos+2) >= count)) { + // incomplete vram write/read cmd, can't consume yet + cmd = -1; + break; + } + // consume vram write/read cmd start_vram_transfer(data[pos + 1], data[pos + 2], (cmd & 0xe0) == 0xc0); pos += 3;