better bounds checking for memcpy, memset

This commit is contained in:
death 2017-10-17 07:00:45 +03:00
parent cd101d429a
commit 48f61d7b80
2 changed files with 8 additions and 10 deletions

View File

@ -466,10 +466,9 @@ static duk_ret_t duk_memcpy(duk_context* duk)
s32 dest = duk_to_int(duk, 0); s32 dest = duk_to_int(duk, 0);
s32 src = duk_to_int(duk, 1); s32 src = duk_to_int(duk, 1);
s32 size = duk_to_int(duk, 2); s32 size = duk_to_int(duk, 2);
s32 dstBound = sizeof(tic_ram) - size; s32 bound = sizeof(tic_ram) - size;
s32 srcBound = sizeof(tic_mem) - size;
if(size > 0 && dest < dstBound && src < srcBound) if(size >= 0 && size <= sizeof(tic_ram) && dest >= 0 && src >= 0 && dest <= bound && src <= bound)
{ {
u8* base = (u8*)&getDukMachine(duk)->memory; u8* base = (u8*)&getDukMachine(duk)->memory;
memcpy(base + dest, base + src, size); memcpy(base + dest, base + src, size);
@ -485,7 +484,7 @@ static duk_ret_t duk_memset(duk_context* duk)
s32 size = duk_to_int(duk, 2); s32 size = duk_to_int(duk, 2);
s32 bound = sizeof(tic_ram) - size; s32 bound = sizeof(tic_ram) - size;
if(size > 0 && dest < bound) if(size >= 0 && size <= sizeof(tic_ram) && dest >= 0 && dest <= bound)
{ {
u8* base = (u8*)&getDukMachine(duk)->memory; u8* base = (u8*)&getDukMachine(duk)->memory;
memset(base + dest, value, size); memset(base + dest, value, size);

View File

@ -759,10 +759,9 @@ static s32 lua_memcpy(lua_State* lua)
s32 dest = getLuaNumber(lua, 1); s32 dest = getLuaNumber(lua, 1);
s32 src = getLuaNumber(lua, 2); s32 src = getLuaNumber(lua, 2);
s32 size = getLuaNumber(lua, 3); s32 size = getLuaNumber(lua, 3);
s32 dstBound = sizeof(tic_ram) - size; s32 bound = sizeof(tic_ram) - size;
s32 srcBound = sizeof(tic_mem) - size;
if(dest < dstBound && src < srcBound) if(size >= 0 && size <= sizeof(tic_ram) && dest >= 0 && src >= 0 && dest <= bound && src <= bound)
{ {
u8* base = (u8*)&getLuaMachine(lua)->memory; u8* base = (u8*)&getLuaMachine(lua)->memory;
memcpy(base + dest, base + src, size); memcpy(base + dest, base + src, size);
@ -786,7 +785,7 @@ static s32 lua_memset(lua_State* lua)
s32 size = getLuaNumber(lua, 3); s32 size = getLuaNumber(lua, 3);
s32 bound = sizeof(tic_ram) - size; s32 bound = sizeof(tic_ram) - size;
if(dest < bound) if(size >= 0 && size <= sizeof(tic_ram) && dest >= 0 && dest <= bound)
{ {
u8* base = (u8*)&getLuaMachine(lua)->memory; u8* base = (u8*)&getLuaMachine(lua)->memory;
memset(base + dest, value, size); memset(base + dest, value, size);