Permalink
Browse files

GB Serialize: Check DMA destination when loading state

  • Loading branch information...
1 parent 740f7a0 commit ff788a017c4daeab34156bc0ea30cbd71b6a74b1 @endrift endrift committed Sep 13, 2016
Showing with 7 additions and 1 deletion.
  1. +7 −1 src/gb/serialize.c
View
@@ -89,6 +89,7 @@ bool GBDeserialize(struct GB* gb, const struct GBSerializedState* state) {
int32_t check;
uint32_t ucheck;
int16_t check16;
+ uint16_t ucheck16;
LOAD_32LE(ucheck, 0, &state->versionMagic);
if (ucheck > GB_SAVESTATE_MAGIC + GB_SAVESTATE_VERSION) {
mLOG(GB_STATE, WARN, "Invalid or too new savestate: expected %08X, got %08X", GB_SAVESTATE_MAGIC + GB_SAVESTATE_VERSION, ucheck);
@@ -126,11 +127,16 @@ bool GBDeserialize(struct GB* gb, const struct GBSerializedState* state) {
mLOG(GB_STATE, WARN, "Savestate is corrupted: video eventDiff is negative");
error = true;
}
- LOAD_32LE(check16, 0, &state->video.ly);
+ LOAD_16LE(check16, 0, &state->video.ly);
if (check16 < 0 || check16 > GB_VIDEO_VERTICAL_TOTAL_PIXELS) {
mLOG(GB_STATE, WARN, "Savestate is corrupted: video y is out of range");
error = true;
}
+ LOAD_16LE(ucheck16, 0, &state->memory.dmaDest);
+ if (ucheck16 >= GB_SIZE_OAM) {
+ mLOG(GB_STATE, WARN, "Savestate is corrupted: DMA destination is out of range");
+ error = true;
+ }
if (error) {
return false;
}

0 comments on commit ff788a0

Please sign in to comment.