Skip to content
Permalink
Browse files

Merge pull request #7765 from AdmiralCurtiss/fzero-save-file-out-of-b…

…ounds

GCMemcard: Fix out of bounds access in F-Zero GX checksum calculation.
  • Loading branch information...
JMC47 committed Mar 11, 2019
2 parents 8293724 + fdd19c1 commit 9e4ab87a341519870e4b471c093df1e92a2d2f17
Showing with 7 additions and 4 deletions.
  1. +7 −4 Source/Core/Core/HW/GCMemcard/GCMemcard.cpp
@@ -1277,12 +1277,15 @@ s32 GCMemcard::FZEROGX_MakeSaveGameValid(const Header& cardheader, const DEntry&
u32 i, j;
u32 serial1, serial2;
u16 chksum = 0xFFFF;
int block = 0;

// check for F-Zero GX system file
if (strcmp(reinterpret_cast<const char*>(direntry.m_filename.data()), "f_zero.dat") != 0)
return 0;

// also make sure that the filesize is correct
if (FileBuffer.size() != 4)
return 0;

// get encrypted destination memory card serial numbers
cardheader.CARD_GetSerialNo(&serial1, &serial2);

@@ -1295,16 +1298,16 @@ s32 GCMemcard::FZEROGX_MakeSaveGameValid(const Header& cardheader, const DEntry&
// calc 16-bit checksum
for (i = 0x02; i < 0x8000; i++)
{
chksum ^= (FileBuffer[block].m_block[i - (block * 0x2000)] & 0xFF);
const int block = i / 0x2000;
const int offset = i % 0x2000;
chksum ^= (FileBuffer[block].m_block[offset] & 0xFF);
for (j = 8; j > 0; j--)
{
if (chksum & 1)
chksum = (chksum >> 1) ^ 0x8408;
else
chksum >>= 1;
}
if (!(i % 0x2000))
block++;
}

// set new checksum

0 comments on commit 9e4ab87

Please sign in to comment.
You can’t perform that action at this time.