From c8f63a3b60f07114297a8742f01bc63b699948cd Mon Sep 17 00:00:00 2001
From: Toni Wilen <twilen@winuae.net>
Date: Sat, 21 Sep 2019 10:45:48 +0300
Subject: [PATCH] Validate uae-configuration parameters.

---
 cfgfile.cpp     | 27 +++++++++++++++++++++++----
 include/traps.h |  1 +
 traps.cpp       | 15 +++++++++++++++
 3 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/cfgfile.cpp b/cfgfile.cpp
index 87bd8baa..4de8214f 100644
--- a/cfgfile.cpp
+++ b/cfgfile.cpp
@@ -7415,11 +7415,23 @@ uae_u32 cfgfile_uaelib_modify(TrapContext *ctx, uae_u32 index, uae_u32 parms, ua
 	int i, ret;
 	TCHAR *out_p = NULL, *parms_in = NULL;
 
-	if (out)
+	if (outsize >= 32768)
+		return 0;
+	if (out && outsize > 0) {
+		if (!trap_valid_address(ctx, out, 1))
+			return 0;
 		trap_put_byte(ctx, out, 0);
+	}
 	if (size == 0) {
-		while (trap_get_byte(ctx, parms + size) != 0)
+		for (;;) {
+			if (!trap_valid_address(ctx, parms + size, 1))
+				return 0;
+			if (trap_get_byte(ctx, parms + size) == 0)
+				break;
 			size++;
+			if (size >= 32768)
+				return 0;
+		}
 	}
 	parms_p = xmalloc (uae_char, size + 1);
 	if (!parms_p) {
@@ -7444,8 +7456,10 @@ uae_u32 cfgfile_uaelib_modify(TrapContext *ctx, uae_u32 index, uae_u32 parms, ua
 	parms_in = au (parms_p);
 	ret = cfgfile_modify (index, parms_in, size, out_p, outsize);
 	xfree (parms_in);
-	if (out) {
+	if (out && outsize > 0) {
 		parms_out = ua (out_p);
+		if (!trap_valid_address(ctx, out, strlen(parms_out) + 1 > outsize ? outsize : strlen(parms_out) + 1))
+			return 0;
 		trap_put_string(ctx, parms_out, out, outsize - 1);
 	}
 	xfree (parms_out);
@@ -7470,7 +7484,12 @@ uae_u32 cfgfile_uaelib(TrapContext *ctx, int mode, uae_u32 name, uae_u32 dst, ua
 	TCHAR *str;
 	uae_char tmpa[CONFIG_BLEN];
 
-	if (mode)
+	if (mode || maxlen > CONFIG_BLEN)
+		return 0;
+
+	if (!trap_valid_string(ctx, name, CONFIG_BLEN))
+		return 0;
+	if (!trap_valid_address(ctx, dst, maxlen))
 		return 0;
 
 	trap_get_string(ctx, tmpa, name, sizeof tmpa);
diff --git a/include/traps.h b/include/traps.h
index a34c9043..0966f24b 100644
--- a/include/traps.h
+++ b/include/traps.h
@@ -95,6 +95,7 @@ void call_hardware_trap(uae_u8*, uaecptr, int);
 void trap_set_background(TrapContext *ctx);
 void trap_background_set_complete(TrapContext *ctx);
 bool trap_valid_address(TrapContext *ctx, uaecptr addr, uae_u32 size);
+bool trap_valid_string(TrapContext *ctx, uaecptr addr, uae_u32 maxsize);
 bool trap_is_indirect(void);
 void trap_dos_active(void);
 void trap_reset(void);
diff --git a/traps.cpp b/traps.cpp
index 666bb413..3fe96251 100644
--- a/traps.cpp
+++ b/traps.cpp
@@ -959,6 +959,21 @@ void trap_set_background(TrapContext *ctx)
 	atomic_inc(&ctx->trap_background);
 }
 
+bool trap_valid_string(TrapContext *ctx, uaecptr addr, uae_u32 maxsize)
+{
+	if (!ctx || currprefs.uaeboard < 3) {
+		for (int i = 0; i < maxsize; i++) {
+			if (!valid_address(addr + i, 1))
+				return false;
+			if (get_byte(addr + i) == 0)
+				return true;
+		}
+		return false;
+	}
+	// can't really do any checks..
+	return true;
+}
+
 bool trap_valid_address(TrapContext *ctx, uaecptr addr, uae_u32 size)
 {
 	if (!ctx || currprefs.uaeboard < 3)
-- 
2.47.3