From 48f61d7b8076ab5e023079d72335a36420ddadc5 Mon Sep 17 00:00:00 2001
From: death <death@adeht.org>
Date: Tue, 17 Oct 2017 07:00:45 +0300
Subject: [PATCH] better bounds checking for memcpy, memset

---
 src/jsapi.c  |  7 +++----
 src/luaapi.c | 11 +++++------
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/src/jsapi.c b/src/jsapi.c
index b090deb..efd1ecf 100644
--- a/src/jsapi.c
+++ b/src/jsapi.c
@@ -466,10 +466,9 @@ static duk_ret_t duk_memcpy(duk_context* duk)
 	s32 dest = duk_to_int(duk, 0);
 	s32 src = duk_to_int(duk, 1);
 	s32 size = duk_to_int(duk, 2);
-	s32 dstBound = sizeof(tic_ram) - size;
-	s32 srcBound = sizeof(tic_mem) - size;
+	s32 bound = sizeof(tic_ram) - size;
 
-	if(size > 0 && dest < dstBound && src < srcBound)
+	if(size >= 0 && size <= sizeof(tic_ram) && dest >= 0 && src >= 0 && dest <= bound && src <= bound)
 	{
 		u8* base = (u8*)&getDukMachine(duk)->memory;
 		memcpy(base + dest, base + src, size);
@@ -485,7 +484,7 @@ static duk_ret_t duk_memset(duk_context* duk)
 	s32 size = duk_to_int(duk, 2);
 	s32 bound = sizeof(tic_ram) - size;
 
-	if(size > 0 && dest < bound)
+	if(size >= 0 && size <= sizeof(tic_ram) && dest >= 0 && dest <= bound)
 	{
 		u8* base = (u8*)&getDukMachine(duk)->memory;
 		memset(base + dest, value, size);
diff --git a/src/luaapi.c b/src/luaapi.c
index c005e57..4955b03 100644
--- a/src/luaapi.c
+++ b/src/luaapi.c
@@ -759,14 +759,13 @@ static s32 lua_memcpy(lua_State* lua)
 		s32 dest = getLuaNumber(lua, 1);
 		s32 src = getLuaNumber(lua, 2);
 		s32 size = getLuaNumber(lua, 3);
-		s32 dstBound = sizeof(tic_ram) - size;
-		s32 srcBound = sizeof(tic_mem) - size;
+                s32 bound = sizeof(tic_ram) - size;
 
-		if(dest < dstBound && src < srcBound)
+		if(size >= 0 && size <= sizeof(tic_ram) && dest >= 0 && src >= 0 && dest <= bound && src <= bound)
 		{
 			u8* base = (u8*)&getLuaMachine(lua)->memory;
 			memcpy(base + dest, base + src, size);
-			return 0;	
+			return 0;
 		}
 	}
 
@@ -786,11 +785,11 @@ static s32 lua_memset(lua_State* lua)
 		s32 size = getLuaNumber(lua, 3);
 		s32 bound = sizeof(tic_ram) - size;
 
-		if(dest < bound)
+		if(size >= 0 && size <= sizeof(tic_ram) && dest >= 0 && dest <= bound)
 		{
 			u8* base = (u8*)&getLuaMachine(lua)->memory;
 			memset(base + dest, value, size);
-			return 0;	
+			return 0;
 		}
 	}