mirror of
https://github.com/dolphin-emu/dolphin.git
synced 2025-01-24 23:11:14 +01:00
Merge pull request #10592 from AdmiralCurtiss/pointerwrap-protections
Common/PointerWrap: Prevent reads/writes past the end of the buffer.
This commit is contained in:
commit
2e01dc0c82
@ -46,11 +46,17 @@ public:
|
|||||||
MODE_VERIFY, // compare
|
MODE_VERIFY, // compare
|
||||||
};
|
};
|
||||||
|
|
||||||
u8** ptr;
|
private:
|
||||||
|
u8** m_ptr_current;
|
||||||
|
u8* m_ptr_end;
|
||||||
Mode mode;
|
Mode mode;
|
||||||
|
|
||||||
public:
|
public:
|
||||||
PointerWrap(u8** ptr_, Mode mode_) : ptr(ptr_), mode(mode_) {}
|
PointerWrap(u8** ptr, size_t size, Mode mode_)
|
||||||
|
: m_ptr_current(ptr), m_ptr_end(*ptr + size), mode(mode_)
|
||||||
|
{
|
||||||
|
}
|
||||||
|
|
||||||
void SetMode(Mode mode_) { mode = mode_; }
|
void SetMode(Mode mode_) { mode = mode_; }
|
||||||
Mode GetMode() const { return mode; }
|
Mode GetMode() const { return mode; }
|
||||||
template <typename K, class V>
|
template <typename K, class V>
|
||||||
@ -208,8 +214,13 @@ public:
|
|||||||
[[nodiscard]] u8* DoExternal(u32& count)
|
[[nodiscard]] u8* DoExternal(u32& count)
|
||||||
{
|
{
|
||||||
Do(count);
|
Do(count);
|
||||||
u8* current = *ptr;
|
u8* current = *m_ptr_current;
|
||||||
*ptr += count;
|
*m_ptr_current += count;
|
||||||
|
if (mode != MODE_MEASURE && *m_ptr_current > m_ptr_end)
|
||||||
|
{
|
||||||
|
// trying to read/write past the end of the buffer, prevent this
|
||||||
|
mode = MODE_MEASURE;
|
||||||
|
}
|
||||||
return current;
|
return current;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -319,26 +330,32 @@ private:
|
|||||||
|
|
||||||
DOLPHIN_FORCE_INLINE void DoVoid(void* data, u32 size)
|
DOLPHIN_FORCE_INLINE void DoVoid(void* data, u32 size)
|
||||||
{
|
{
|
||||||
|
if (mode != MODE_MEASURE && (*m_ptr_current + size) > m_ptr_end)
|
||||||
|
{
|
||||||
|
// trying to read/write past the end of the buffer, prevent this
|
||||||
|
mode = MODE_MEASURE;
|
||||||
|
}
|
||||||
|
|
||||||
switch (mode)
|
switch (mode)
|
||||||
{
|
{
|
||||||
case MODE_READ:
|
case MODE_READ:
|
||||||
memcpy(data, *ptr, size);
|
memcpy(data, *m_ptr_current, size);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case MODE_WRITE:
|
case MODE_WRITE:
|
||||||
memcpy(*ptr, data, size);
|
memcpy(*m_ptr_current, data, size);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case MODE_MEASURE:
|
case MODE_MEASURE:
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case MODE_VERIFY:
|
case MODE_VERIFY:
|
||||||
DEBUG_ASSERT_MSG(COMMON, !memcmp(data, *ptr, size),
|
DEBUG_ASSERT_MSG(COMMON, !memcmp(data, *m_ptr_current, size),
|
||||||
"Savestate verification failure: buf {} != {} (size {}).\n", fmt::ptr(data),
|
"Savestate verification failure: buf {} != {} (size {}).\n", fmt::ptr(data),
|
||||||
fmt::ptr(*ptr), size);
|
fmt::ptr(*m_ptr_current), size);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
*ptr += size;
|
*m_ptr_current += size;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
@ -994,8 +994,8 @@ void WiiSockMan::Convert(sockaddr_in const& from, WiiSockAddrIn& to, s32 addrlen
|
|||||||
|
|
||||||
void WiiSockMan::DoState(PointerWrap& p)
|
void WiiSockMan::DoState(PointerWrap& p)
|
||||||
{
|
{
|
||||||
bool saving =
|
bool saving = p.GetMode() == PointerWrap::Mode::MODE_WRITE ||
|
||||||
p.mode == PointerWrap::Mode::MODE_WRITE || p.mode == PointerWrap::Mode::MODE_MEASURE;
|
p.GetMode() == PointerWrap::Mode::MODE_MEASURE;
|
||||||
auto size = pending_polls.size();
|
auto size = pending_polls.size();
|
||||||
p.Do(size);
|
p.Do(size);
|
||||||
if (!saving)
|
if (!saving)
|
||||||
|
@ -225,8 +225,8 @@ void LoadFromBuffer(std::vector<u8>& buffer)
|
|||||||
|
|
||||||
Core::RunOnCPUThread(
|
Core::RunOnCPUThread(
|
||||||
[&] {
|
[&] {
|
||||||
u8* ptr = &buffer[0];
|
u8* ptr = buffer.data();
|
||||||
PointerWrap p(&ptr, PointerWrap::MODE_READ);
|
PointerWrap p(&ptr, buffer.size(), PointerWrap::MODE_READ);
|
||||||
DoState(p);
|
DoState(p);
|
||||||
},
|
},
|
||||||
true);
|
true);
|
||||||
@ -237,14 +237,14 @@ void SaveToBuffer(std::vector<u8>& buffer)
|
|||||||
Core::RunOnCPUThread(
|
Core::RunOnCPUThread(
|
||||||
[&] {
|
[&] {
|
||||||
u8* ptr = nullptr;
|
u8* ptr = nullptr;
|
||||||
PointerWrap p(&ptr, PointerWrap::MODE_MEASURE);
|
PointerWrap p_measure(&ptr, 0, PointerWrap::MODE_MEASURE);
|
||||||
|
|
||||||
DoState(p);
|
DoState(p_measure);
|
||||||
const size_t buffer_size = reinterpret_cast<size_t>(ptr);
|
const size_t buffer_size = reinterpret_cast<size_t>(ptr);
|
||||||
buffer.resize(buffer_size);
|
buffer.resize(buffer_size);
|
||||||
|
|
||||||
ptr = &buffer[0];
|
ptr = buffer.data();
|
||||||
p.SetMode(PointerWrap::MODE_WRITE);
|
PointerWrap p(&ptr, buffer_size, PointerWrap::MODE_WRITE);
|
||||||
DoState(p);
|
DoState(p);
|
||||||
},
|
},
|
||||||
true);
|
true);
|
||||||
@ -412,20 +412,22 @@ void SaveAs(const std::string& filename, bool wait)
|
|||||||
[&] {
|
[&] {
|
||||||
// Measure the size of the buffer.
|
// Measure the size of the buffer.
|
||||||
u8* ptr = nullptr;
|
u8* ptr = nullptr;
|
||||||
PointerWrap p(&ptr, PointerWrap::MODE_MEASURE);
|
PointerWrap p_measure(&ptr, 0, PointerWrap::MODE_MEASURE);
|
||||||
DoState(p);
|
DoState(p_measure);
|
||||||
const size_t buffer_size = reinterpret_cast<size_t>(ptr);
|
const size_t buffer_size = reinterpret_cast<size_t>(ptr);
|
||||||
|
|
||||||
// Then actually do the write.
|
// Then actually do the write.
|
||||||
|
PointerWrap::Mode p_mode;
|
||||||
{
|
{
|
||||||
std::lock_guard lk(g_cs_current_buffer);
|
std::lock_guard lk(g_cs_current_buffer);
|
||||||
g_current_buffer.resize(buffer_size);
|
g_current_buffer.resize(buffer_size);
|
||||||
ptr = &g_current_buffer[0];
|
ptr = g_current_buffer.data();
|
||||||
p.SetMode(PointerWrap::MODE_WRITE);
|
PointerWrap p(&ptr, buffer_size, PointerWrap::MODE_WRITE);
|
||||||
DoState(p);
|
DoState(p);
|
||||||
|
p_mode = p.GetMode();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (p.GetMode() == PointerWrap::MODE_WRITE)
|
if (p_mode == PointerWrap::MODE_WRITE)
|
||||||
{
|
{
|
||||||
Core::DisplayMessage("Saving State...", 1000);
|
Core::DisplayMessage("Saving State...", 1000);
|
||||||
|
|
||||||
@ -588,8 +590,8 @@ void LoadAs(const std::string& filename)
|
|||||||
|
|
||||||
if (!buffer.empty())
|
if (!buffer.empty())
|
||||||
{
|
{
|
||||||
u8* ptr = &buffer[0];
|
u8* ptr = buffer.data();
|
||||||
PointerWrap p(&ptr, PointerWrap::MODE_READ);
|
PointerWrap p(&ptr, buffer.size(), PointerWrap::MODE_READ);
|
||||||
DoState(p);
|
DoState(p);
|
||||||
loaded = true;
|
loaded = true;
|
||||||
loadedSuccessfully = (p.GetMode() == PointerWrap::MODE_READ);
|
loadedSuccessfully = (p.GetMode() == PointerWrap::MODE_READ);
|
||||||
|
@ -230,14 +230,14 @@ bool GameFileCache::SyncCacheFile(bool save)
|
|||||||
{
|
{
|
||||||
// Measure the size of the buffer.
|
// Measure the size of the buffer.
|
||||||
u8* ptr = nullptr;
|
u8* ptr = nullptr;
|
||||||
PointerWrap p(&ptr, PointerWrap::MODE_MEASURE);
|
PointerWrap p_measure(&ptr, 0, PointerWrap::MODE_MEASURE);
|
||||||
DoState(&p);
|
DoState(&p_measure);
|
||||||
const size_t buffer_size = reinterpret_cast<size_t>(ptr);
|
const size_t buffer_size = reinterpret_cast<size_t>(ptr);
|
||||||
|
|
||||||
// Then actually do the write.
|
// Then actually do the write.
|
||||||
std::vector<u8> buffer(buffer_size);
|
std::vector<u8> buffer(buffer_size);
|
||||||
ptr = &buffer[0];
|
ptr = buffer.data();
|
||||||
p.SetMode(PointerWrap::MODE_WRITE);
|
PointerWrap p(&ptr, buffer_size, PointerWrap::MODE_WRITE);
|
||||||
DoState(&p, buffer_size);
|
DoState(&p, buffer_size);
|
||||||
if (f.WriteBytes(buffer.data(), buffer.size()))
|
if (f.WriteBytes(buffer.data(), buffer.size()))
|
||||||
success = true;
|
success = true;
|
||||||
@ -248,7 +248,7 @@ bool GameFileCache::SyncCacheFile(bool save)
|
|||||||
if (!buffer.empty() && f.ReadBytes(buffer.data(), buffer.size()))
|
if (!buffer.empty() && f.ReadBytes(buffer.data(), buffer.size()))
|
||||||
{
|
{
|
||||||
u8* ptr = buffer.data();
|
u8* ptr = buffer.data();
|
||||||
PointerWrap p(&ptr, PointerWrap::MODE_READ);
|
PointerWrap p(&ptr, buffer.size(), PointerWrap::MODE_READ);
|
||||||
DoState(&p, buffer.size());
|
DoState(&p, buffer.size());
|
||||||
if (p.GetMode() == PointerWrap::MODE_READ)
|
if (p.GetMode() == PointerWrap::MODE_READ)
|
||||||
success = true;
|
success = true;
|
||||||
|
@ -26,7 +26,7 @@ void DoCPState(PointerWrap& p)
|
|||||||
p.Do(g_main_cp_state.vtx_desc);
|
p.Do(g_main_cp_state.vtx_desc);
|
||||||
p.DoArray(g_main_cp_state.vtx_attr);
|
p.DoArray(g_main_cp_state.vtx_attr);
|
||||||
p.DoMarker("CP Memory");
|
p.DoMarker("CP Memory");
|
||||||
if (p.mode == PointerWrap::MODE_READ)
|
if (p.GetMode() == PointerWrap::MODE_READ)
|
||||||
{
|
{
|
||||||
CopyPreprocessCPStateFromMain();
|
CopyPreprocessCPStateFromMain();
|
||||||
VertexLoaderManager::g_bases_dirty = true;
|
VertexLoaderManager::g_bases_dirty = true;
|
||||||
|
@ -94,7 +94,7 @@ void DoState(PointerWrap& p)
|
|||||||
p.DoPointer(write_ptr, s_video_buffer);
|
p.DoPointer(write_ptr, s_video_buffer);
|
||||||
s_video_buffer_write_ptr = write_ptr;
|
s_video_buffer_write_ptr = write_ptr;
|
||||||
p.DoPointer(s_video_buffer_read_ptr, s_video_buffer);
|
p.DoPointer(s_video_buffer_read_ptr, s_video_buffer);
|
||||||
if (p.mode == PointerWrap::MODE_READ && s_use_deterministic_gpu_thread)
|
if (p.GetMode() == PointerWrap::MODE_READ && s_use_deterministic_gpu_thread)
|
||||||
{
|
{
|
||||||
// We're good and paused, right?
|
// We're good and paused, right?
|
||||||
s_video_buffer_seen_ptr = s_video_buffer_pp_read_ptr = s_video_buffer_read_ptr;
|
s_video_buffer_seen_ptr = s_video_buffer_pp_read_ptr = s_video_buffer_read_ptr;
|
||||||
|
@ -298,7 +298,7 @@ Common::Vec2 FreeLookCamera::GetFieldOfViewMultiplier() const
|
|||||||
|
|
||||||
void FreeLookCamera::DoState(PointerWrap& p)
|
void FreeLookCamera::DoState(PointerWrap& p)
|
||||||
{
|
{
|
||||||
if (p.mode == PointerWrap::MODE_WRITE || p.mode == PointerWrap::MODE_MEASURE)
|
if (p.GetMode() == PointerWrap::MODE_WRITE || p.GetMode() == PointerWrap::MODE_MEASURE)
|
||||||
{
|
{
|
||||||
p.Do(m_current_type);
|
p.Do(m_current_type);
|
||||||
if (m_camera_controller)
|
if (m_camera_controller)
|
||||||
|
@ -459,6 +459,12 @@ void TextureCacheBase::SerializeTexture(AbstractTexture* tex, const TextureConfi
|
|||||||
// needing to allocate/free an extra buffer.
|
// needing to allocate/free an extra buffer.
|
||||||
u8* texture_data = p.DoExternal(total_size);
|
u8* texture_data = p.DoExternal(total_size);
|
||||||
|
|
||||||
|
if (p.GetMode() == PointerWrap::MODE_MEASURE)
|
||||||
|
{
|
||||||
|
ERROR_LOG_FMT(VIDEO, "Couldn't acquire {} bytes for serializing texture.", total_size);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
if (!skip_readback)
|
if (!skip_readback)
|
||||||
{
|
{
|
||||||
// Save out each layer of the texture to the pointer.
|
// Save out each layer of the texture to the pointer.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user