all repos — mgba @ 8d6edf9033c4c25bf755bb6e076bc5d6d2bf6994

mGBA Game Boy Advance Emulator

GB Video: mVL bounds checking
Vicki Pfau vi@endrift.com
Tue, 18 Apr 2017 03:12:38 -0700
commit

8d6edf9033c4c25bf755bb6e076bc5d6d2bf6994

parent

1731d4f97581d1dfffb7b2aa8aa12661a7758671

1 files changed, 19 insertions(+), 7 deletions(-)

jump to
M src/gb/renderers/proxy.csrc/gb/renderers/proxy.c 
@@ -63,6 +63,7 @@ static void _reset(struct GBVideoProxyRenderer* proxyRenderer, enum GBModel model) {
 	memcpy(proxyRenderer->logger->oam, &proxyRenderer->d.oam->raw, GB_SIZE_OAM);
 	memcpy(proxyRenderer->logger->vram, proxyRenderer->d.vram, GB_SIZE_VRAM);
 
+	proxyRenderer->oamMax = 0;
 
 	proxyRenderer->backend->deinit(proxyRenderer->backend);
 	proxyRenderer->backend->init(proxyRenderer->backend, model);

@@ -118,21 +119,31 @@ case DIRTY_REGISTER:
 		proxyRenderer->backend->writeVideoRegister(proxyRenderer->backend, item->address, item->value);
 		break;
 	case DIRTY_PALETTE:
-		proxyRenderer->backend->writePalette(proxyRenderer->backend, item->address, item->value);
+		if (item->address < 64) {
+			proxyRenderer->backend->writePalette(proxyRenderer->backend, item->address, item->value);
+		}
 		break;
 	case DIRTY_OAM:
-		logger->oam[item->address] = item->value;
-		proxyRenderer->backend->writeOAM(proxyRenderer->backend, item->address);
+		if (item->address < GB_SIZE_OAM) {
+			logger->oam[item->address] = item->value;
+			proxyRenderer->backend->writeOAM(proxyRenderer->backend, item->address);
+		}
 		break;
 	case DIRTY_VRAM:
-		logger->readData(logger, &logger->vram[item->address >> 1], 0x1000, true);
-		proxyRenderer->backend->writeVRAM(proxyRenderer->backend, item->address);
+		if (item->address + 0x1000 <= GB_SIZE_VRAM) {
+			logger->readData(logger, &logger->vram[item->address >> 1], 0x1000, true);
+			proxyRenderer->backend->writeVRAM(proxyRenderer->backend, item->address);
+		}
 		break;
 	case DIRTY_SCANLINE:
-		proxyRenderer->backend->finishScanline(proxyRenderer->backend, item->address);
+		if (item->address < GB_VIDEO_VERTICAL_PIXELS) {
+			proxyRenderer->backend->finishScanline(proxyRenderer->backend, item->address);
+		}
 		break;
 	case DIRTY_RANGE:
-		proxyRenderer->backend->drawRange(proxyRenderer->backend, item->value, item->value2, item->address, proxyRenderer->objThisLine, proxyRenderer->oamMax);
+		if (item->value < item->value2 && item->value2 <= GB_VIDEO_HORIZONTAL_PIXELS && item->address < GB_VIDEO_VERTICAL_PIXELS) {
+			proxyRenderer->backend->drawRange(proxyRenderer->backend, item->value, item->value2, item->address, proxyRenderer->objThisLine, proxyRenderer->oamMax);
+		}
 		break;
 	case DIRTY_FRAME:
 		proxyRenderer->backend->finishFrame(proxyRenderer->backend);

@@ -142,6 +153,7 @@ switch (item->address) {
 		case BUFFER_OAM:
 			proxyRenderer->oamMax = item->value2 / sizeof(struct GBObj);
 			if (proxyRenderer->oamMax > 40) {
+				proxyRenderer->oamMax = 0;
 				return false;
 			}
 			logger->readData(logger, &proxyRenderer->objThisLine, item->value2, true);