fix potential RSP DMA buffer overflows, based on change from parallel-n64

richard42 · richard42 · commit 5340dafcc0f5 · 2024-05-20T22:31:07.000-07:00
diff --git a/src/device/rcp/rsp/rsp_core.c b/src/device/rcp/rsp/rsp_core.c
@@ -56,12 +56,12 @@ static void do_sp_dma(struct rsp_core* sp, const struct sp_dma* dma)
     {
         for(j=0; j<count; j++) {
             for(i=0; i<length; i++) {
-                dram[dramaddr^S8] = spmem[memaddr^S8];
+                dram[(dramaddr^S8) & 0x7fffff] = spmem[(memaddr^S8) & 0xfff];
                 memaddr++;
                 dramaddr++;
             }
-
-            post_framebuffer_write(&sp->dp->fb, dramaddr - length, length);
+            if (dramaddr <= 0x800000)
+                post_framebuffer_write(&sp->dp->fb, dramaddr - length, length);
             dramaddr+=skip;
         }
 
@@ -72,10 +72,11 @@ static void do_sp_dma(struct rsp_core* sp, const struct sp_dma* dma)
     else
     {
         for(j=0; j<count; j++) {
-            pre_framebuffer_read(&sp->dp->fb, dramaddr);
+            if (dramaddr < 0x800000)
+                pre_framebuffer_read(&sp->dp->fb, dramaddr);
 
             for(i=0; i<length; i++) {
-                spmem[memaddr^S8] = dram[dramaddr^S8];
+                spmem[(memaddr^S8) & 0xfff] = dram[(dramaddr^S8) & 0x7fffff];
                 memaddr++;
                 dramaddr++;
             }

Original file line number	Diff line number	Diff line change
`@@ -56,12 +56,12 @@ static void do_sp_dma(struct rsp_core* sp, const struct sp_dma* dma)`
`56`	`56`	`{`
`57`	`57`	`for(j=0; j<count; j++) {`
`58`	`58`	`for(i=0; i<length; i++) {`
`59`		`- dram[dramaddr^S8] = spmem[memaddr^S8];`
	`59`	`+ dram[(dramaddr^S8) & 0x7fffff] = spmem[(memaddr^S8) & 0xfff];`
`60`	`60`	`memaddr++;`
`61`	`61`	`dramaddr++;`
`62`	`62`	`}`
`63`		`-`
`64`		`- post_framebuffer_write(&sp->dp->fb, dramaddr - length, length);`
	`63`	`+ if (dramaddr <= 0x800000)`
	`64`	`+ post_framebuffer_write(&sp->dp->fb, dramaddr - length, length);`
`65`	`65`	`dramaddr+=skip;`
`66`	`66`	`}`
`67`	`67`
`@@ -72,10 +72,11 @@ static void do_sp_dma(struct rsp_core* sp, const struct sp_dma* dma)`
`72`	`72`	`else`
`73`	`73`	`{`
`74`	`74`	`for(j=0; j<count; j++) {`
`75`		`- pre_framebuffer_read(&sp->dp->fb, dramaddr);`
	`75`	`+ if (dramaddr < 0x800000)`
	`76`	`+ pre_framebuffer_read(&sp->dp->fb, dramaddr);`
`76`	`77`
`77`	`78`	`for(i=0; i<length; i++) {`
`78`		`- spmem[memaddr^S8] = dram[dramaddr^S8];`
	`79`	`+ spmem[(memaddr^S8) & 0xfff] = dram[(dramaddr^S8) & 0x7fffff];`
`79`	`80`	`memaddr++;`
`80`	`81`	`dramaddr++;`
`81`	`82`	`}`