Core: Add range checks to some helpers and similar.

2025-01-20 20:56:22 +00:00 · 2023-01-08 14:10:16 -08:00 · 2023-01-08 14:10:16 -08:00 · dea9cac16c
commit dea9cac16c
parent e9ce0d0b5e
10 changed files with 32 additions and 27 deletions
--- a/Core/Dialog/PSPSaveDialog.cpp
+++ b/Core/Dialog/PSPSaveDialog.cpp
@ -22,6 +22,7 @@
 #endif
 #endif

+#include <algorithm>
 #include <ctime>
 #include <thread>

@ -639,8 +640,9 @@ int PSPSaveDialog::Update(int animSpeed)
 	// The struct may have been updated by the game.  This happens in "Where Is My Heart?"
 	// Check if it has changed, reload it.
 	// TODO: Cut down on preloading?  This rebuilds the list from scratch.
-	int size = Memory::Read_U32(requestAddr);
-	if (memcmp(Memory::GetPointer(requestAddr), &originalRequest, size) != 0) {
+	int size = std::min((u32)sizeof(originalRequest), Memory::Read_U32(requestAddr));
+	const u8 *updatedRequest = Memory::GetPointerRange(requestAddr, size);
+	if (updatedRequest && memcmp(updatedRequest, &originalRequest, size) != 0) {
 		memset(&request, 0, sizeof(request));
 		Memory::Memcpy(&request, requestAddr, size);
 		Memory::Memcpy(&originalRequest, requestAddr, size);
--- a/Core/ELF/ElfReader.cpp
+++ b/Core/ELF/ElfReader.cpp
@ -511,9 +511,9 @@ int ElfReader::LoadInto(u32 loadAddress, bool fromTop)
 				ERROR_LOG(LOADER, "Segment %d pointer invalid - truncated?", i);
 				continue;
 			}
-			u8 *dst = Memory::GetPointerWrite(writeAddr);
 			u32 srcSize = p->p_filesz;
 			u32 dstSize = p->p_memsz;
+			u8 *dst = Memory::GetPointerWriteRange(writeAddr, dstSize);

 			if (srcSize < dstSize)
 			{
--- a/Core/FileSystems/ISOFileSystem.cpp
+++ b/Core/FileSystems/ISOFileSystem.cpp
@ -401,8 +401,8 @@ int ISOFileSystem::Ioctl(u32 handle, u32 cmd, u32 indataPtr, u32 inlen, u32 outd
 			return SCE_KERNEL_ERROR_ERRNO_FUNCTION_NOT_SUPPORTED;
 		}

-		if (!Memory::IsValidAddress(outdataPtr) || outlen < 0x800) {
-			WARN_LOG_REPORT(FILESYS, "sceIoIoctl: Invalid out pointer while reading ISO9660 volume descriptor");
+		if (!Memory::IsValidRange(outdataPtr, 0x800) || outlen < 0x800) {
+			WARN_LOG_REPORT(FILESYS, "sceIoIoctl: Invalid out pointer %08x while reading ISO9660 volume descriptor", outdataPtr);
 			return SCE_KERNEL_ERROR_ERRNO_INVALID_ARGUMENT;
 		}

@ -424,7 +424,7 @@ int ISOFileSystem::Ioctl(u32 handle, u32 cmd, u32 indataPtr, u32 inlen, u32 outd
 		} else {
 			int block = (u16)desc.firstLETableSector;
 			u32 size = Memory::ValidSize(outdataPtr, (u32)desc.pathTableLength);
-			u8 *out = Memory::GetPointerWrite(outdataPtr);
+			u8 *out = Memory::GetPointerWriteRange(outdataPtr, size);

 			int blocks = size / blockDevice->GetBlockSize();
 			blockDevice->ReadBlocks(block, blocks, out);
--- a/Core/HLE/proAdhoc.cpp
+++ b/Core/HLE/proAdhoc.cpp
@ -1263,7 +1263,7 @@ void notifyMatchingHandler(SceNetAdhocMatchingContext * context, ThreadMessage *
 	MatchingArgs argsNew = { 0 };
 	u32_le dataBufLen = msg->optlen + 8; //max(bufLen, msg->optlen + 8);
 	u32_le dataBufAddr = userMemory.Alloc(dataBufLen); // We will free this memory after returning from mipscall. FIXME: Are these buffers supposed to be taken/pre-allocated from the memory pool during sceNetAdhocMatchingInit?
-	uint8_t * dataPtr = Memory::GetPointerWrite(dataBufAddr);
+	uint8_t *dataPtr = Memory::GetPointerWriteRange(dataBufAddr, dataBufLen);
 	if (dataPtr) {
 		memcpy(dataPtr, &msg->mac, sizeof(msg->mac));
 		if (msg->optlen > 0)
--- a/Core/HW/SasAudio.cpp
+++ b/Core/HW/SasAudio.cpp
@ -120,8 +120,8 @@ void VagDecoder::GetSamples(s16 *outSamples, int numSamples) {
 		memset(outSamples, 0, numSamples * sizeof(s16));
 		return;
 	}
-	if (!Memory::IsValidAddress(read_)) {
-		WARN_LOG(SASMIX, "Bad VAG samples address?");
+	if (!Memory::IsValidRange(read_, numBlocks_ * 16)) {
+		WARN_LOG_REPORT(SASMIX, "Bad VAG samples address? %08x / %d", read_, numBlocks_);
 		return;
 	}
 	const u8 *readp = Memory::GetPointerUnchecked(read_);
@ -577,9 +577,11 @@ void SasInstance::Mix(u32 outAddr, u32 inAddr, int leftVol, int rightVol) {
 	// Then mix the send buffer in with the rest.

 	// Alright, all voices mixed. Let's convert and clip, and at the same time, wipe mixBuffer for next time. Could also dither.
-	s16 *outp = (s16 *)Memory::GetPointer(outAddr);
-	const s16 *inp = inAddr ? (s16*)Memory::GetPointer(inAddr) : 0;
-	if (outputMode == PSP_SAS_OUTPUTMODE_MIXED) {
+	s16 *outp = (s16 *)Memory::GetPointerWriteRange(outAddr, 4 * grainSize);
+	const s16 *inp = inAddr ? (const s16 *)Memory::GetPointerRange(inAddr, 4 * grainSize) : 0;
+	if (!outp) {
+		WARN_LOG_REPORT(SCESAS, "Bad SAS Mix output address: %08x, grain=%d", outAddr, grainSize);
+	} else if (outputMode == PSP_SAS_OUTPUTMODE_MIXED) {
 		// Okay, apply effects processing to the Send buffer.
 		WriteMixedOutput(outp, inp, leftVol, rightVol);
 		if (MemBlockInfoDetailed()) {
@ -605,7 +607,7 @@ void SasInstance::Mix(u32 outAddr, u32 inAddr, int leftVol, int rightVol) {
 	memset(sendBuffer, 0, grainSize * sizeof(int) * 2);

 #ifdef AUDIO_TO_FILE
-	fwrite(Memory::GetPointer(outAddr), 1, grainSize * 2 * 2, audioDump);
+	fwrite(Memory::GetPointer(outAddr, grainSize * 2 * 2), 1, grainSize * 2 * 2, audioDump);
 #endif
 }

--- a/Core/MIPS/JitCommon/JitBlockCache.cpp
+++ b/Core/MIPS/JitCommon/JitBlockCache.cpp
@ -65,7 +65,7 @@ static uint64_t HashJitBlock(const JitBlock &b) {
 	PROFILE_THIS_SCOPE("jithash");
 	if (JIT_USE_COMPILEDHASH) {
 		// Includes the emuhack (or emuhacks) in memory.
-		return XXH3_64bits(Memory::GetPointer(b.originalAddress), b.originalSize * 4);
+		return XXH3_64bits(Memory::GetPointerRange(b.originalAddress, b.originalSize * 4), b.originalSize * 4);
 	}
 	return 0;
 }
--- a/Core/MIPS/MIPSAnalyst.cpp
+++ b/Core/MIPS/MIPSAnalyst.cpp
@ -673,7 +673,7 @@ namespace MIPSAnalyst {
 			int vt = (((op >> 16) & 0x1f)) | ((op & 1) << 5);
 			float rd[4];
 			ReadVector(rd, V_Quad, vt);
-			return memcmp(rd, Memory::GetPointer(addr), sizeof(float) * 4) != 0;
+			return memcmp(rd, Memory::GetPointerRange(addr, 16), sizeof(float) * 4) != 0;
 		}

 		// TODO: Technically, the break might be for 1 byte in the middle of a sw.
--- a/Core/MIPS/MIPSIntVFPU.cpp
+++ b/Core/MIPS/MIPSIntVFPU.cpp
@ -207,6 +207,7 @@ namespace MIPSInt

 		u32 addr = R(rs) + imm;
 		float *f;
+		const float *cf;

 		switch (op >> 26)
 		{
@ -245,9 +246,9 @@ namespace MIPSInt
 				_dbg_assert_msg_( 0, "Misaligned lv.q at %08x (pc = %08x)", addr, PC);
 			}
 #ifndef COMMON_BIG_ENDIAN
-			f = reinterpret_cast<float *>(Memory::GetPointerWrite(addr));
-			if (f)
-				WriteVector(f, V_Quad, vt);
+			cf = reinterpret_cast<const float *>(Memory::GetPointerRange(addr, 16));
+			if (cf)
+				WriteVector(cf, V_Quad, vt);
 #else
 			float lvqd[4];

@ -294,7 +295,7 @@ namespace MIPSInt
 				_dbg_assert_msg_( 0, "Misaligned sv.q at %08x (pc = %08x)", addr, PC);
 			}
 #ifndef COMMON_BIG_ENDIAN
-			f = reinterpret_cast<float *>(Memory::GetPointerWrite(addr));
+			f = reinterpret_cast<float *>(Memory::GetPointerWriteRange(addr, 16));
 			if (f)
 				ReadVector(f, V_Quad, vt);
 #else
--- a/Core/MemMapHelpers.h
+++ b/Core/MemMapHelpers.h
@ -32,7 +32,7 @@ namespace Memory
 {

 inline void Memcpy(const u32 to_address, const void *from_data, const u32 len, const char *tag, size_t tagLen) {
-	u8 *to = GetPointerWrite(to_address);
+	u8 *to = GetPointerWriteRange(to_address, len);
 	if (to) {
 		memcpy(to, from_data, len);
 		if (!tag) {
@ -45,7 +45,7 @@ inline void Memcpy(const u32 to_address, const void *from_data, const u32 len, c
 }

 inline void Memcpy(void *to_data, const u32 from_address, const u32 len, const char *tag, size_t tagLen) {
-	const u8 *from = GetPointer(from_address);
+	const u8 *from = GetPointerRange(from_address, len);
 	if (from) {
 		memcpy(to_data, from, len);
 		if (!tag) {
@ -58,11 +58,11 @@ inline void Memcpy(void *to_data, const u32 from_address, const u32 len, const c
 }

 inline void Memcpy(const u32 to_address, const u32 from_address, const u32 len, const char *tag, size_t tagLen) {
-	u8 *to = GetPointerWrite(to_address);
+	u8 *to = GetPointerWriteRange(to_address, len);
 	// If not, GetPointer will log.
 	if (!to)
 		return;
-	const u8 *from = GetPointer(from_address);
+	const u8 *from = GetPointerRange(from_address, len);
 	if (!from)
 		return;

--- a/Core/Util/PPGeDraw.cpp
+++ b/Core/Util/PPGeDraw.cpp
@ -276,7 +276,7 @@ void __PPGeInit() {
 	NotifyMemInfo(MemBlockFlags::WRITE, palette.ptr, 16 * sizeof(u16_le), "PPGe Palette");

 	const u32_le *imagePtr = (u32_le *)imageData[0];
-	u8 *ramPtr = atlasPtr == 0 ? nullptr : (u8 *)Memory::GetPointer(atlasPtr);
+	u8 *ramPtr = atlasPtr == 0 ? nullptr : (u8 *)Memory::GetPointerRange(atlasPtr, atlasSize);

 	// Palettize to 4-bit, the easy way.
 	for (int i = 0; i < width[0] * height[0] / 2; i++) {
@ -325,7 +325,7 @@ void __PPGeDoState(PointerWrap &p)
 	} else {
 		// Memory was already updated by this point, so check directly.
 		if (atlasPtr != 0) {
-			savedHash = XXH3_64bits(Memory::GetPointer(atlasPtr), atlasWidth * atlasHeight / 2);
+			savedHash = XXH3_64bits(Memory::GetPointerRange(atlasPtr, atlasWidth * atlasHeight / 2), atlasWidth * atlasHeight / 2);
 		} else {
 			savedHash ^= 1;
 		}
@ -886,7 +886,7 @@ static PPGeTextDrawerImage PPGeGetTextImage(const char *text, const PPGeStyle &s

 		if (im.ptr) {
 			int wBytes = (im.entry.bmWidth + 1) / 2;
-			u8 *ramPtr = (u8 *)Memory::GetPointer(im.ptr);
+			u8 *ramPtr = Memory::GetPointerWriteRange(im.ptr, sz);
 			for (int y = 0; y < im.entry.bmHeight; ++y) {
 				for (int x = 0; x < wBytes; ++x) {
 					uint8_t c1 = bitmapData[y * im.entry.bmWidth + x * 2];
@ -1327,7 +1327,7 @@ bool PPGeImage::Load() {
 	unsigned char *textureData;
 	int success;
 	if (filename_.empty()) {
-		success = pngLoadPtr(Memory::GetPointer(png_), size_, &width_, &height_, &textureData);
+		success = pngLoadPtr(Memory::GetPointerRange(png_, size_), size_, &width_, &height_, &textureData);
 	} else {
 		std::vector<u8> pngData;
 		if (pspFileSystem.ReadEntireFile(filename_, pngData) < 0) {