Validate uae-configuration parameters.

diff --git a/cfgfile.cpp b/cfgfile.cpp
index 87bd8baab36aea9f8cd29dbe41a0a594039fe521..4de8214f620b5e7fd0a8e6037bce2ce9e16b0d70 100644 (file)
--- a/cfgfile.cpp
+++ b/cfgfile.cpp
@@ -7415,11 +7415,23 @@ uae_u32 cfgfile_uaelib_modify(TrapContext *ctx, uae_u32 index, uae_u32 parms, ua
        int i, ret;
        TCHAR *out_p = NULL, *parms_in = NULL;
 
-       if (out)
+       if (outsize >= 32768)
+               return 0;
+       if (out && outsize > 0) {
+               if (!trap_valid_address(ctx, out, 1))
+                       return 0;
                trap_put_byte(ctx, out, 0);
+       }
        if (size == 0) {
-               while (trap_get_byte(ctx, parms + size) != 0)
+               for (;;) {
+                       if (!trap_valid_address(ctx, parms + size, 1))
+                               return 0;
+                       if (trap_get_byte(ctx, parms + size) == 0)
+                               break;
                        size++;
+                       if (size >= 32768)
+                               return 0;
+               }
        }
        parms_p = xmalloc (uae_char, size + 1);
        if (!parms_p) {
@@ -7444,8 +7456,10 @@ uae_u32 cfgfile_uaelib_modify(TrapContext *ctx, uae_u32 index, uae_u32 parms, ua
        parms_in = au (parms_p);
        ret = cfgfile_modify (index, parms_in, size, out_p, outsize);
        xfree (parms_in);
-       if (out) {
+       if (out && outsize > 0) {
                parms_out = ua (out_p);
+               if (!trap_valid_address(ctx, out, strlen(parms_out) + 1 > outsize ? outsize : strlen(parms_out) + 1))
+                       return 0;
                trap_put_string(ctx, parms_out, out, outsize - 1);
        }
        xfree (parms_out);
@@ -7470,7 +7484,12 @@ uae_u32 cfgfile_uaelib(TrapContext *ctx, int mode, uae_u32 name, uae_u32 dst, ua
        TCHAR *str;
        uae_char tmpa[CONFIG_BLEN];
 
-       if (mode)
+       if (mode || maxlen > CONFIG_BLEN)
+               return 0;
+
+       if (!trap_valid_string(ctx, name, CONFIG_BLEN))
+               return 0;
+       if (!trap_valid_address(ctx, dst, maxlen))
                return 0;
 
        trap_get_string(ctx, tmpa, name, sizeof tmpa);

diff --git a/include/traps.h b/include/traps.h
index a34c9043e62462248aca606831f9b02452d6e3ef..0966f24b895f5770f722b972caf20e36b226d44b 100644 (file)
--- a/include/traps.h
+++ b/include/traps.h
@@ -95,6 +95,7 @@ void call_hardware_trap(uae_u8*, uaecptr, int);
 void trap_set_background(TrapContext *ctx);
 void trap_background_set_complete(TrapContext *ctx);
 bool trap_valid_address(TrapContext *ctx, uaecptr addr, uae_u32 size);
+bool trap_valid_string(TrapContext *ctx, uaecptr addr, uae_u32 maxsize);
 bool trap_is_indirect(void);
 void trap_dos_active(void);
 void trap_reset(void);

diff --git a/traps.cpp b/traps.cpp
index 666bb41347c0c72350ac12559c5188fdbc0b55ff..3fe96251929147284bc5e8484a3529f976a122fa 100644 (file)
--- a/traps.cpp
+++ b/traps.cpp
@@ -959,6 +959,21 @@ void trap_set_background(TrapContext *ctx)
        atomic_inc(&ctx->trap_background);
 }
 
+bool trap_valid_string(TrapContext *ctx, uaecptr addr, uae_u32 maxsize)
+{
+       if (!ctx || currprefs.uaeboard < 3) {
+               for (int i = 0; i < maxsize; i++) {
+                       if (!valid_address(addr + i, 1))
+                               return false;
+                       if (get_byte(addr + i) == 0)
+                               return true;
+               }
+               return false;
+       }
+       // can't really do any checks..
+       return true;
+}
+
 bool trap_valid_address(TrapContext *ctx, uaecptr addr, uae_u32 size)
 {
        if (!ctx || currprefs.uaeboard < 3)