ips_layer: prevent out of bounds access with offset exceeding module size
This commit is contained in:
parent
12178c694a
commit
d1c99c5d52
1 changed files with 7 additions and 0 deletions
|
@ -73,6 +73,9 @@ VirtualFile PatchIPS(const VirtualFile& in, const VirtualFile& ips) {
|
||||||
return nullptr;
|
return nullptr;
|
||||||
|
|
||||||
auto in_data = in->ReadAllBytes();
|
auto in_data = in->ReadAllBytes();
|
||||||
|
if (in_data.size() == 0) {
|
||||||
|
return nullptr;
|
||||||
|
}
|
||||||
|
|
||||||
std::vector<u8> temp(type == IPSFileType::IPS ? 3 : 4);
|
std::vector<u8> temp(type == IPSFileType::IPS ? 3 : 4);
|
||||||
u64 offset = 5; // After header
|
u64 offset = 5; // After header
|
||||||
|
@ -88,6 +91,10 @@ VirtualFile PatchIPS(const VirtualFile& in, const VirtualFile& ips) {
|
||||||
else
|
else
|
||||||
real_offset = (temp[0] << 16) | (temp[1] << 8) | temp[2];
|
real_offset = (temp[0] << 16) | (temp[1] << 8) | temp[2];
|
||||||
|
|
||||||
|
if (real_offset > in_data.size()) {
|
||||||
|
return nullptr;
|
||||||
|
}
|
||||||
|
|
||||||
u16 data_size{};
|
u16 data_size{};
|
||||||
if (ips->ReadObject(&data_size, offset) != sizeof(u16))
|
if (ips->ReadObject(&data_size, offset) != sizeof(u16))
|
||||||
return nullptr;
|
return nullptr;
|
||||||
|
|
Loading…
Reference in a new issue