The IOCTL and Image Read TOC Raw handlers now check for the bounds of the target buffer.

2017-08-23 02:49:12 +02:00
parent 2cf34b4afb
commit 1539216f23
2 changed files with 30 additions and 4 deletions
--- a/src/cdrom_image.cc
+++ b/src/cdrom_image.cc
@@ -894,8 +894,10 @@ static int image_readtoc_raw(uint8_t id, unsigned char *b, int maxlen)

        cdimg[id]->GetAudioTracks(first_track, last_track, tmsf);

-        b[2] = first_track;
-        b[3] = last_track;
+        if (maxlen >= 3)  b[2] = first_track;
+        if (maxlen >= 4)  b[3] = last_track;
+
+	if (maxlen <= 4)  return len;

        for (track = first_track; track <= last_track; track++)
        {
@@ -908,16 +910,27 @@ static int image_readtoc_raw(uint8_t id, unsigned char *b, int maxlen)
                cdimg[id]->GetAudioTrackInfo(track, number, tmsf, attr);

                b[len++] = track;
+		if (len == maxlen)  return len;
                b[len++]= attr;
+		if (len == maxlen)  return len;
                b[len++]=0;
+		if (len == maxlen)  return len;
                b[len++]=0;
+		if (len == maxlen)  return len;
                b[len++]=0;
+		if (len == maxlen)  return len;
                b[len++]=0;
+		if (len == maxlen)  return len;
                b[len++]=0;
+		if (len == maxlen)  return len;
                b[len++]=0;
+		if (len == maxlen)  return len;
                b[len++] = tmsf.min;
+		if (len == maxlen)  return len;
       	        b[len++] = tmsf.sec;
+		if (len == maxlen)  return len;
                b[len++] = tmsf.fr;
+		if (len == maxlen)  return len;
        }
        return len;
 }
--- a/src/cdrom_ioctl.c
+++ b/src/cdrom_ioctl.c
@@ -1172,8 +1172,10 @@ static int ioctl_readtoc_raw(uint8_t id, uint8_t *b, int maxlen)
        ioctl_hopen(id);
        DeviceIoControl(cdrom_ioctl_windows[id].hIOCTL,IOCTL_CDROM_READ_TOC_EX, &toc_ex,sizeof(toc_ex),&toc,sizeof(toc),(PDWORD)&size,NULL);
        ioctl_close(id);
-        b[2]=toc.FirstCompleteSession;
-        b[3]=toc.LastCompleteSession;
+        if (maxlen >= 3)  b[2]=toc.FirstCompleteSession;
+        if (maxlen >= 4)  b[3]=toc.LastCompleteSession;
+
+	if (len >= maxlen)  return len;

 	size -= sizeof(CDROM_TOC_FULL_TOC_DATA);
 	size /= sizeof(toc.Descriptors[0]);
@@ -1181,16 +1183,27 @@ static int ioctl_readtoc_raw(uint8_t id, uint8_t *b, int maxlen)
 	for (i = 0; i <= size; i++)
 	{
                b[len++]=toc.Descriptors[i].SessionNumber;
+		if (len == maxlen)  return len;
                b[len++]=(toc.Descriptors[i].Adr<<4)|toc.Descriptors[i].Control;
+		if (len == maxlen)  return len;
                b[len++]=0;
+		if (len == maxlen)  return len;
                b[len++]=toc.Descriptors[i].Reserved1; /*Reserved*/
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].MsfExtra[0];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].MsfExtra[1];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].MsfExtra[2];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].Zero;
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].Msf[0];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].Msf[1];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].Msf[2];
+		if (len == maxlen)  return len;
 	}

 	return len;