diff options
author | Daniel Silsby | 2019-11-08 20:30:04 -0500 |
---|---|---|
committer | twinaphex | 2020-02-08 15:50:06 +0100 |
commit | 79573c20e473b4f8490a50b772a1636a50c1b594 (patch) | |
tree | 69d87122cf6af8870bfde511328052111c0e716a /plugins/gpulib | |
parent | ea884d3029c673e06a4084156ceb662598d8945a (diff) | |
download | pcsx_rearmed-79573c20e473b4f8490a50b772a1636a50c1b594.tar.gz pcsx_rearmed-79573c20e473b4f8490a50b772a1636a50c1b594.tar.bz2 pcsx_rearmed-79573c20e473b4f8490a50b772a1636a50c1b594.zip |
gpulib: fix out-of-bounds reads in do_cmd_buffer()
When gpu.cmd_buffer[] is filling up, and the last 1 or 2 words
in it are the beginning of a new vram read/write cmd, do_cmd_buffer()
would access out-of-bounds, reading garbage pos/size data.
Fixes corrupted gfx in this PS1 .exe test utility:
https://github.com/PeterLemon/PSX/tree/master/CPUTest/CPU/LOADSTORE/LW
(This and all similar tests on Peter's site).
Note that gfx access in this utility is done entirely through cmds given
through GPUwriteData(), i.e. direct CPU->GP0 stores, not DMA.
Diffstat (limited to 'plugins/gpulib')
-rw-r--r-- | plugins/gpulib/gpu.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/plugins/gpulib/gpu.c b/plugins/gpulib/gpu.c index 17386b4..007da65 100644 --- a/plugins/gpulib/gpu.c +++ b/plugins/gpulib/gpu.c @@ -528,6 +528,12 @@ static noinline int do_cmd_buffer(uint32_t *data, int count) cmd = data[pos] >> 24; if (0xa0 <= cmd && cmd <= 0xdf) { + if (unlikely((pos+2) >= count)) { + // incomplete vram write/read cmd, can't consume yet + cmd = -1; + break; + } + // consume vram write/read cmd start_vram_transfer(data[pos + 1], data[pos + 2], (cmd & 0xe0) == 0xc0); pos += 3; |