aboutsummaryrefslogtreecommitdiff
path: root/plugins/gpulib
diff options
context:
space:
mode:
authorDaniel Silsby2019-11-08 20:30:04 -0500
committertwinaphex2020-02-08 15:50:06 +0100
commit79573c20e473b4f8490a50b772a1636a50c1b594 (patch)
tree69d87122cf6af8870bfde511328052111c0e716a /plugins/gpulib
parentea884d3029c673e06a4084156ceb662598d8945a (diff)
downloadpcsx_rearmed-79573c20e473b4f8490a50b772a1636a50c1b594.tar.gz
pcsx_rearmed-79573c20e473b4f8490a50b772a1636a50c1b594.tar.bz2
pcsx_rearmed-79573c20e473b4f8490a50b772a1636a50c1b594.zip
gpulib: fix out-of-bounds reads in do_cmd_buffer()
When gpu.cmd_buffer[] is filling up, and the last 1 or 2 words in it are the beginning of a new vram read/write cmd, do_cmd_buffer() would access out-of-bounds, reading garbage pos/size data. Fixes corrupted gfx in this PS1 .exe test utility: https://github.com/PeterLemon/PSX/tree/master/CPUTest/CPU/LOADSTORE/LW (This and all similar tests on Peter's site). Note that gfx access in this utility is done entirely through cmds given through GPUwriteData(), i.e. direct CPU->GP0 stores, not DMA.
Diffstat (limited to 'plugins/gpulib')
-rw-r--r--plugins/gpulib/gpu.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/plugins/gpulib/gpu.c b/plugins/gpulib/gpu.c
index 17386b4..007da65 100644
--- a/plugins/gpulib/gpu.c
+++ b/plugins/gpulib/gpu.c
@@ -528,6 +528,12 @@ static noinline int do_cmd_buffer(uint32_t *data, int count)
cmd = data[pos] >> 24;
if (0xa0 <= cmd && cmd <= 0xdf) {
+ if (unlikely((pos+2) >= count)) {
+ // incomplete vram write/read cmd, can't consume yet
+ cmd = -1;
+ break;
+ }
+
// consume vram write/read cmd
start_vram_transfer(data[pos + 1], data[pos + 2], (cmd & 0xe0) == 0xc0);
pos += 3;