diff options
author | notaz | 2019-11-11 20:50:44 +0200 |
---|---|---|
committer | GitHub | 2019-11-11 20:50:44 +0200 |
commit | 31d997216cc3ed116125a344a44d2c813d322fc1 (patch) | |
tree | 70dd67df94bcb59e76c5c54143c72e8e354d2d66 /plugins | |
parent | 3c8913013a3bb1908186342759f881baa16602b9 (diff) | |
parent | 7194a46a0eb7583f7af0b5807e6ffde006733111 (diff) | |
download | pcsx_rearmed-31d997216cc3ed116125a344a44d2c813d322fc1.tar.gz pcsx_rearmed-31d997216cc3ed116125a344a44d2c813d322fc1.tar.bz2 pcsx_rearmed-31d997216cc3ed116125a344a44d2c813d322fc1.zip |
Merge pull request #146 from senquack/gpulib_fix
gpulib: fix out-of-bounds reads in do_cmd_buffer()
Diffstat (limited to 'plugins')
-rw-r--r-- | plugins/gpulib/gpu.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/plugins/gpulib/gpu.c b/plugins/gpulib/gpu.c index 125bd89..d67df03 100644 --- a/plugins/gpulib/gpu.c +++ b/plugins/gpulib/gpu.c @@ -457,6 +457,12 @@ static noinline int do_cmd_buffer(uint32_t *data, int count) cmd = data[pos] >> 24; if (0xa0 <= cmd && cmd <= 0xdf) { + if (unlikely((pos+2) >= count)) { + // incomplete vram write/read cmd, can't consume yet + cmd = -1; + break; + } + // consume vram write/read cmd start_vram_transfer(data[pos + 1], data[pos + 2], (cmd & 0xe0) == 0xc0); pos += 3; |