all repos — mgba @ 369ccc64025cb710c106a5f05fa171f14a3b9071

mGBA Game Boy Advance Emulator

GBA Memory: Properly bounds-check VRAM accesses
Jeffrey Pfau jeffrey@endrift.com
Tue, 13 Jan 2015 21:24:41 -0800
commit

369ccc64025cb710c106a5f05fa171f14a3b9071

parent

787b2bd1a3d14473beea51257cc0a99a609800bd

2 files changed, 20 insertions(+), 7 deletions(-)

jump to
M CHANGESCHANGES 
@@ -53,6 +53,7 @@ - Debugger: Fix binary print putting spaces between digits
  - GBA BIOS: Fix LZ77UnCompVram to use 16-bit loads from decompressed memory
  - GBA BIOS: Fix HuffUnComp to work when games pass an invalid bit length
  - GBA BIOS: Fix GetBiosChecksum to return the value of a real GBA, regardless of used BIOS
+ - GBA Memory: Properly bounds-check VRAM accesses
 Misc:
  - Qt: Disable sync to video by default
  - GBA: Exit cleanly on FATAL if the port supports it
M src/gba/gba-memory.csrc/gba/gba-memory.c 
@@ -204,7 +204,11 @@ LOAD_32(value, address & (SIZE_PALETTE_RAM - 1), gba->video.palette); \
 	++wait;
 
 #define LOAD_VRAM \
-	LOAD_32(value, address & 0x0001FFFF, gba->video.renderer->vram); \
+	if ((address & 0x0001FFFF) < SIZE_VRAM) { \
+		LOAD_32(value, address & 0x0001FFFF, gba->video.renderer->vram); \
+	} else { \
+		LOAD_32(value, address & 0x00017FFF, gba->video.renderer->vram); \
+	} \
 	++wait;
 
 #define LOAD_OAM LOAD_32(value, address & (SIZE_OAM - 1), gba->video.oam.raw);

@@ -317,7 +321,11 @@ case REGION_PALETTE_RAM:
 		LOAD_16(value, address & (SIZE_PALETTE_RAM - 1), gba->video.palette);
 		break;
 	case REGION_VRAM:
-		LOAD_16(value, address & 0x0001FFFF, gba->video.renderer->vram);
+		if ((address & 0x0001FFFF) < SIZE_VRAM) {
+			LOAD_16(value, address & 0x0001FFFF, gba->video.renderer->vram);
+		} else {
+			LOAD_16(value, address & 0x00017FFF, gba->video.renderer->vram);
+		}
 		break;
 	case REGION_OAM:
 		LOAD_16(value, address & (SIZE_OAM - 1), gba->video.oam.raw);

@@ -408,7 +416,11 @@ case REGION_PALETTE_RAM:
 		value = ((int8_t*) gba->video.palette)[address & (SIZE_PALETTE_RAM - 1)];
 		break;
 	case REGION_VRAM:
-		value = ((int8_t*) gba->video.renderer->vram)[address & 0x0001FFFF];
+		if ((address & 0x0001FFFF) < SIZE_VRAM) {
+			value = ((int8_t*) gba->video.renderer->vram)[address & 0x0001FFFF];
+		} else {
+			value = ((int8_t*) gba->video.renderer->vram)[address & 0x00017FFF];
+		}
 		break;
 	case REGION_OAM:
 		GBALog(gba, GBA_LOG_STUB, "Unimplemented memory Load8: 0x%08X", address);

@@ -478,9 +490,9 @@ ++wait; \
 	gba->video.renderer->writePalette(gba->video.renderer, address & (SIZE_PALETTE_RAM - 1), value);
 
 #define STORE_VRAM \
-	if ((address & OFFSET_MASK) < SIZE_VRAM) { \
+	if ((address & 0x0001FFFF) < SIZE_VRAM) { \
 		STORE_32(value, address & 0x0001FFFF, gba->video.renderer->vram); \
-	} else if ((address & OFFSET_MASK) < 0x00020000) { \
+	} else { \
 		STORE_32(value, address & 0x00017FFF, gba->video.renderer->vram); \
 	} \
 	++wait;

@@ -567,9 +579,9 @@ STORE_16(value, address & (SIZE_PALETTE_RAM - 1), gba->video.palette);
 		gba->video.renderer->writePalette(gba->video.renderer, address & (SIZE_PALETTE_RAM - 1), value);
 		break;
 	case REGION_VRAM:
-		if ((address & OFFSET_MASK) < SIZE_VRAM) {
+		if ((address & 0x0001FFFF) < SIZE_VRAM) {
 			STORE_16(value, address & 0x0001FFFF, gba->video.renderer->vram);
-		} else if ((address & OFFSET_MASK) < 0x00020000) {
+		} else {
 			STORE_16(value, address & 0x00017FFF, gba->video.renderer->vram);
 		}
 		break;