From 4e462d44f92e6358ba3a1b8be80a5c2e195b5f86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A9o=20Lam?= Date: Mon, 27 Feb 2017 21:14:06 +0100 Subject: [PATCH] ESFormats: Fix GetRawTicketView The vector was not constructed with the proper size, which results in a buffer overflow as we were using memcpy. This commit fixes that mistake and also uses a safer way of copying the ticket view data (std::vector::insert instead of memcpy). --- Source/Core/Core/IOS/ES/Formats.cpp | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Source/Core/Core/IOS/ES/Formats.cpp b/Source/Core/Core/IOS/ES/Formats.cpp index d9474d92f1..34e82db850 100644 --- a/Source/Core/Core/IOS/ES/Formats.cpp +++ b/Source/Core/Core/IOS/ES/Formats.cpp @@ -234,14 +234,17 @@ const std::vector& TicketReader::GetRawTicket() const std::vector TicketReader::GetRawTicketView(u32 ticket_num) const { // A ticket view is composed of a view ID + part of a ticket starting from the ticket_id field. - std::vector view{sizeof(TicketView)}; + const auto ticket_start = m_bytes.cbegin() + (GetOffset() + sizeof(Ticket)) * ticket_num; + const auto view_start = ticket_start + offsetof(Ticket, ticket_id); - u32 view_id = Common::swap32(ticket_num); + // Copy the view ID to the buffer. + std::vector view(sizeof(TicketView::view)); + const u32 view_id = Common::swap32(ticket_num); std::memcpy(view.data(), &view_id, sizeof(view_id)); - const size_t ticket_start = (GetOffset() + sizeof(Ticket)) * ticket_num; - const size_t view_start = ticket_start + offsetof(Ticket, ticket_id); - std::memcpy(view.data() + sizeof(view_id), &m_bytes[view_start], sizeof(view) - sizeof(view_id)); + // Copy the rest of the ticket view structure from the ticket. + view.insert(view.end(), view_start, view_start + sizeof(TicketView) - sizeof(view_id)); + _assert_(view.size() == sizeof(TicketView)); return view; }