all repos — mgba @ ff788a017c4daeab34156bc0ea30cbd71b6a74b1

mGBA Game Boy Advance Emulator

GB Serialize: Check DMA destination when loading state
Jeffrey Pfau jeffrey@endrift.com
Mon, 12 Sep 2016 18:10:28 -0700
commit

ff788a017c4daeab34156bc0ea30cbd71b6a74b1

parent

740f7a0f66a1dc78af39db981dcc332bab8bdff6

1 files changed, 7 insertions(+), 1 deletions(-)

jump to
M src/gb/serialize.csrc/gb/serialize.c 
@@ -89,6 +89,7 @@ bool error = false;
 	int32_t check;
 	uint32_t ucheck;
 	int16_t check16;
+	uint16_t ucheck16;
 	LOAD_32LE(ucheck, 0, &state->versionMagic);
 	if (ucheck > GB_SAVESTATE_MAGIC + GB_SAVESTATE_VERSION) {
 		mLOG(GB_STATE, WARN, "Invalid or too new savestate: expected %08X, got %08X", GB_SAVESTATE_MAGIC + GB_SAVESTATE_VERSION, ucheck);

@@ -126,9 +127,14 @@ if (check < 0) {
 		mLOG(GB_STATE, WARN, "Savestate is corrupted: video eventDiff is negative");
 		error = true;
 	}
-	LOAD_32LE(check16, 0, &state->video.ly);
+	LOAD_16LE(check16, 0, &state->video.ly);
 	if (check16 < 0 || check16 > GB_VIDEO_VERTICAL_TOTAL_PIXELS) {
 		mLOG(GB_STATE, WARN, "Savestate is corrupted: video y is out of range");
+		error = true;
+	}
+	LOAD_16LE(ucheck16, 0, &state->memory.dmaDest);
+	if (ucheck16 >= GB_SIZE_OAM) {
+		mLOG(GB_STATE, WARN, "Savestate is corrupted: DMA destination is out of range");
 		error = true;
 	}
 	if (error) {