Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix exploitable HLE problems reported by hthh #4447
The bounds checks in IOCtl were using 0x200 as the size of m_Registers, which is more than the actual size, 0x200 / 4. This commit turns m_Registers into an std::array to allow for a correct and obvious way of getting its size.
%n writes to a pointer that's provided as a parameter. We didn't have a custom implementation of this before, meaning that %n would trigger a write to the host memory instead of the emulated memory!
Review status: 0 of 7 files reviewed at latest revision, 7 unresolved discussions.
Comments from Reviewable
Review status: 0 of 7 files reviewed at latest revision, 2 unresolved discussions.
A semicolon, rather than a period, would be slightly better here since the two independent clauses are closely related. e.g. 'Couldn't get an absolute path; the root directory will be returned.'
superfluous second 'will'
Comments from Reviewable
The way varargs are handled is way too messy/buggy.
The width and precision specifier aren't processed the right way. If someone use a "*" character to specify them as an argument, first, it will take the wrong one as a width/precision, then take on the host stack the one that should be processed. It might crash the user's computer if too many characters have to be written, even if the game/homebrew is legit.
If Dolphin is compiled with printf family functions supporting the POSIX's parameter field extension (which is the case on Linux with GCC, not Windows) an user can also use this notation to format the nth argument:
printf("21 equals %2$d\n", 42, 21);
Same issue as above, it isn't sanitized properly and will leak the host's stack.
Windows & Linux printf family functions are used to format the string but it also means that both implementations need to be supported to prevent that kind of platform-specific issue.
I did notice that GetStringVA's approach is fragile, but I couldn't think of any cases where it would fail (other than the %n one I fixed), so thank you for writing about some problematic cases.
I don't think I will be able to make a proper fix for it any time soon. Would you prefer for this PR to be merged without the %n commit, or for this PR to be committed as-is despite the problems because the %n commit at least fixes the write to host memory? (Or are there problems with commits other than the %n one?)
Not sure about that, I believe the
While I'm not certain if positional parameters can even occur in DOLs (certainly not official game ones I suppose), he does have a point (since Homebrew might; depending on the compiler libogc etc. ship with and its capabilities). But I think that could be a follow-up PR just aswell, which may or may not include a rewrite of that logic to clean it up/make it less fragile (which is IMO a little out-of-scope for this current one).