From 3ca673a6759e488603c01b57e861ed909229bde6 Mon Sep 17 00:00:00 2001
From: Shawn Hoffman <godisgovernment@gmail.com>
Date: Fri, 5 Aug 2022 17:24:03 -0700
Subject: [PATCH] WiiSave: protect against a stack buffer overflow

---
 Source/Core/Core/HW/WiiSave.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Source/Core/Core/HW/WiiSave.cpp b/Source/Core/Core/HW/WiiSave.cpp
index 57cb003aee..76c5df6f33 100644
--- a/Source/Core/Core/HW/WiiSave.cpp
+++ b/Source/Core/Core/HW/WiiSave.cpp
@@ -104,14 +104,21 @@ public:
     if (!m_uid || !m_gid)
       return {};
 
-    const auto banner = m_fs->OpenFile(*m_uid, *m_gid, m_data_dir + "/banner.bin", FS::Mode::Read);
+    const auto banner_path = m_data_dir + "/banner.bin";
+    const auto banner = m_fs->OpenFile(*m_uid, *m_gid, banner_path, FS::Mode::Read);
     if (!banner)
       return {};
     Header header{};
     header.banner_size = banner->GetStatus()->size;
+    if (header.banner_size > sizeof(header.banner))
+    {
+      ERROR_LOG_FMT(CORE, "NandStorage::ReadHeader: {} corrupted banner_size: {:x}", banner_path,
+                    header.banner_size);
+      return {};
+    }
     header.tid = m_tid;
     header.md5 = s_md5_blanker;
-    const u8 mode = GetBinMode(m_data_dir + "/banner.bin");
+    const u8 mode = GetBinMode(banner_path);
     if (!mode || !banner->Read(header.banner, header.banner_size))
       return {};
     header.permissions = mode;