From cd100a2642d39aabb1a63b545d038008125c19b0 Mon Sep 17 00:00:00 2001
From: SP193 <pirorin187@gmail.com>
Date: Sun, 24 Feb 2019 20:24:19 +0800
Subject: [PATCH] CDVDFSV: Fixed pointer incorrectly getting incremented, when
 alignment correction is performed. This resulted in the buffer getting
 overrun, causing memory corruption.

---
 modules/iopcore/cdvdfsv/cdvdfsv.c | 10 ++++------
 modules/iopcore/cdvdman/cdvdman.c |  4 +---
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/modules/iopcore/cdvdfsv/cdvdfsv.c b/modules/iopcore/cdvdfsv/cdvdfsv.c
index e6b9196d1..a8269aee6 100644
--- a/modules/iopcore/cdvdfsv/cdvdfsv.c
+++ b/modules/iopcore/cdvdfsv/cdvdfsv.c
@@ -784,7 +784,6 @@ static inline void cdvd_readee(void *buf)
     u8 curlsn_buf[16];
     u32 nbytes, nsectors, sectors_to_read, size_64b, size_64bb, bytesent, temp;
     int sector_size, flag_64b, fsverror;
-    void *fsvRbuf = (void *)cdvdfsv_buf;
     void *eeaddr_64b, *eeaddr2_64b;
     cdvdfsv_readee_t readee;
     RpcCdvd_t *r = (RpcCdvd_t *)buf;
@@ -828,7 +827,6 @@ static inline void cdvd_readee(void *buf)
     temp -= (u32)eeaddr2_64b;
     readee.pdst2 = eeaddr2_64b; // get the end address on a 64 bytes align
     readee.b2len = temp;        // get bytes remainder at end of 64 bytes align
-    fsvRbuf += temp;
 
     if (readee.b1len)
         flag_64b = 0; // 64 bytes alignment flag
@@ -866,7 +864,7 @@ static inline void cdvd_readee(void *buf)
                 temp = nsectors;
             }
 
-            if (sceCdRead(r->lsn, temp, (void *)fsvRbuf, NULL) == 0) {
+            if (sceCdRead(r->lsn, temp, (void *)cdvdfsv_buf, NULL) == 0) {
                 if (sceCdGetError() == CDVD_ERR_NO) {
                     fsverror = CDVD_ERR_READCF;
                     sceCdSC(CDSC_SET_ERROR, &fsverror);
@@ -882,14 +880,14 @@ static inline void cdvd_readee(void *buf)
 
             if (!flag_64b) {
                 if (sectors_to_read == r->sectors) // check that was the first read. Data read will be skewed by readee.b1len bytes into the adjacent sector.
-                    mips_memcpy((void *)readee.buf1, (void *)fsvRbuf, readee.b1len);
+                    mips_memcpy((void *)readee.buf1, (void *)cdvdfsv_buf, readee.b1len);
 
                 if ((sectors_to_read == nsectors) && (readee.b1len)) // For the last sector read.
                     size_64bb = size_64b - 64;
             }
 
             if (size_64bb > 0) {
-                sysmemSendEE((void *)(fsvRbuf + readee.b1len), (void *)eeaddr_64b, size_64bb);
+                sysmemSendEE((void *)(cdvdfsv_buf + readee.b1len), (void *)eeaddr_64b, size_64bb);
                 bytesent += size_64bb;
             }
 
@@ -903,7 +901,7 @@ static inline void cdvd_readee(void *buf)
         } while ((flag_64b) || (sectors_to_read));
 
         //At the very last pass, copy readee.b2len bytes from the last sector, to complete the alignment correction.
-        mips_memcpy((void *)readee.buf2, (void *)(fsvRbuf + size_64b - readee.b2len), readee.b2len);
+        mips_memcpy((void *)readee.buf2, (void *)(cdvdfsv_buf + size_64b - readee.b2len), readee.b2len);
     }
 
     *(int *)buf = bytesent;
diff --git a/modules/iopcore/cdvdman/cdvdman.c b/modules/iopcore/cdvdman/cdvdman.c
index 4e021ae99..7a69b514d 100644
--- a/modules/iopcore/cdvdman/cdvdman.c
+++ b/modules/iopcore/cdvdman/cdvdman.c
@@ -210,9 +210,7 @@ static iop_sys_clock_t gCallbackSysClock;
 // buffers
 #define CDVDMAN_BUF_SECTORS 2
 static u8 cdvdman_buf[CDVDMAN_BUF_SECTORS * 2048];
-
-#define CDVDMAN_FS_BUFSIZE CDVDMAN_FS_SECTORS * 2048
-static u8 cdvdman_fs_buf[CDVDMAN_FS_BUFSIZE];
+static u8 cdvdman_fs_buf[CDVDMAN_FS_SECTORS * 2048];
 
 #define CDVDMAN_MODULE_VERSION 0x225
 static int cdvdman_debug_print_flag = 0;