Protect system_cmd from reading out of bounds

3 years ago · 36a70ed605
2 changed files with 16 additions and 16 deletions
--- a/src/devices/system.c
+++ b/src/devices/system.c
@ -32,27 +32,26 @@ system_print(Stack *s, char *name)
 	fprintf(stderr, "\n");
 }

-void
-system_inspect(Uxn *u)
+static void
+system_cmd(Uint8 *ram, Uint16 addr)
 {
-	system_print(u->wst, "wst");
-	system_print(u->rst, "rst");
+	if(ram[addr] == 0x01) {
+		int src, dst;
+		Uint16 i, args[5]; /* length, a_page, a_addr, b_page, b_addr */
+		for(i = 0; i < 5; i++)
+			args[i] = PEEK16(ram + addr + 1 + i * 2);
+		src = (args[1] % RAM_PAGES) * 0x10000;
+		dst = (args[3] % RAM_PAGES) * 0x10000;
+		for(i = 0; i < args[0]; i++)
+			ram[dst + (Uint16)(args[4] + i)] = ram[src + (Uint16)(args[2] + i)];
+	}
 }

-/* RAM */
-
 void
-system_cmd(Uint8 *ram, Uint16 addr)
+system_inspect(Uxn *u)
 {
-	Uint16 a = addr, i = 0;
-	Uint8 o = ram[a++];
-	if(o == 1) {
-		Uint16 length = (ram[a++] << 8) + ram[a++];
-		Uint16 src_page = ((ram[a++] << 8) + ram[a++]) % 16, src_addr = (ram[a++] << 8) + ram[a++];
-		Uint16 dst_page = ((ram[a++] << 8) + ram[a++]) % 16, dst_addr = (ram[a++] << 8) + ram[a];
-		for(i = 0; i < length; i++)
-			ram[dst_page * 0x10000 + dst_addr + i] = ram[src_page * 0x10000 + src_addr + i];
-	}
+	system_print(u->wst, "wst");
+	system_print(u->rst, "rst");
 }

 int
--- a/src/devices/system.h
+++ b/src/devices/system.h
@ -10,6 +10,7 @@ WITH REGARD TO THIS SOFTWARE.
 */

 #define RAM_PAGES 0x10
+#define PEEK16(d) ((d)[0] << 8 | (d)[1])

 int system_load(Uxn *u, char *filename);
 void system_deo(Uxn *u, Uint8 *d, Uint8 port);