Merge pull request #7765 from AdmiralCurtiss/fzero-save-file-out-of-bounds

GCMemcard: Fix out of bounds access in F-Zero GX checksum calculation.
This commit is contained in:
JMC47 2019-03-11 12:40:03 -04:00 committed by GitHub
commit 9e4ab87a34
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -1277,12 +1277,15 @@ s32 GCMemcard::FZEROGX_MakeSaveGameValid(const Header& cardheader, const DEntry&
u32 i, j;
u32 serial1, serial2;
u16 chksum = 0xFFFF;
int block = 0;
// check for F-Zero GX system file
if (strcmp(reinterpret_cast<const char*>(direntry.m_filename.data()), "f_zero.dat") != 0)
return 0;
// also make sure that the filesize is correct
if (FileBuffer.size() != 4)
return 0;
// get encrypted destination memory card serial numbers
cardheader.CARD_GetSerialNo(&serial1, &serial2);
@ -1295,7 +1298,9 @@ s32 GCMemcard::FZEROGX_MakeSaveGameValid(const Header& cardheader, const DEntry&
// calc 16-bit checksum
for (i = 0x02; i < 0x8000; i++)
{
chksum ^= (FileBuffer[block].m_block[i - (block * 0x2000)] & 0xFF);
const int block = i / 0x2000;
const int offset = i % 0x2000;
chksum ^= (FileBuffer[block].m_block[offset] & 0xFF);
for (j = 8; j > 0; j--)
{
if (chksum & 1)
@ -1303,8 +1308,6 @@ s32 GCMemcard::FZEROGX_MakeSaveGameValid(const Header& cardheader, const DEntry&
else
chksum >>= 1;
}
if (!(i % 0x2000))
block++;
}
// set new checksum