From 1539216f23e36d952bcbbe8f2f826dd32f5c93d6 Mon Sep 17 00:00:00 2001
From: OBattler <oubattler@gmail.com>
Date: Wed, 23 Aug 2017 02:49:12 +0200
Subject: [PATCH] The IOCTL and Image Read TOC Raw handlers now check for the
 bounds of the target buffer.

---
 src/cdrom_image.cc | 17 +++++++++++++++--
 src/cdrom_ioctl.c  | 17 +++++++++++++++--
 2 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/src/cdrom_image.cc b/src/cdrom_image.cc
index 42d40be77..ba538b066 100644
--- a/src/cdrom_image.cc
+++ b/src/cdrom_image.cc
@@ -894,8 +894,10 @@ static int image_readtoc_raw(uint8_t id, unsigned char *b, int maxlen)
 
         cdimg[id]->GetAudioTracks(first_track, last_track, tmsf);
 
-        b[2] = first_track;
-        b[3] = last_track;
+        if (maxlen >= 3)  b[2] = first_track;
+        if (maxlen >= 4)  b[3] = last_track;
+
+	if (maxlen <= 4)  return len;
 
         for (track = first_track; track <= last_track; track++)
         {
@@ -908,16 +910,27 @@ static int image_readtoc_raw(uint8_t id, unsigned char *b, int maxlen)
                 cdimg[id]->GetAudioTrackInfo(track, number, tmsf, attr);
 
                 b[len++] = track;
+		if (len == maxlen)  return len;
                 b[len++]= attr;
+		if (len == maxlen)  return len;
                 b[len++]=0;
+		if (len == maxlen)  return len;
                 b[len++]=0;
+		if (len == maxlen)  return len;
                 b[len++]=0;
+		if (len == maxlen)  return len;
                 b[len++]=0;
+		if (len == maxlen)  return len;
                 b[len++]=0;
+		if (len == maxlen)  return len;
                 b[len++]=0;
+		if (len == maxlen)  return len;
                 b[len++] = tmsf.min;
+		if (len == maxlen)  return len;
        	        b[len++] = tmsf.sec;
+		if (len == maxlen)  return len;
                 b[len++] = tmsf.fr;
+		if (len == maxlen)  return len;
         }
         return len;
 }
diff --git a/src/cdrom_ioctl.c b/src/cdrom_ioctl.c
index ab13ea70a..1d8ceb359 100644
--- a/src/cdrom_ioctl.c
+++ b/src/cdrom_ioctl.c
@@ -1172,8 +1172,10 @@ static int ioctl_readtoc_raw(uint8_t id, uint8_t *b, int maxlen)
         ioctl_hopen(id);
         DeviceIoControl(cdrom_ioctl_windows[id].hIOCTL,IOCTL_CDROM_READ_TOC_EX, &toc_ex,sizeof(toc_ex),&toc,sizeof(toc),(PDWORD)&size,NULL);
         ioctl_close(id);
-        b[2]=toc.FirstCompleteSession;
-        b[3]=toc.LastCompleteSession;
+        if (maxlen >= 3)  b[2]=toc.FirstCompleteSession;
+        if (maxlen >= 4)  b[3]=toc.LastCompleteSession;
+
+	if (len >= maxlen)  return len;
 
 	size -= sizeof(CDROM_TOC_FULL_TOC_DATA);
 	size /= sizeof(toc.Descriptors[0]);
@@ -1181,16 +1183,27 @@ static int ioctl_readtoc_raw(uint8_t id, uint8_t *b, int maxlen)
 	for (i = 0; i <= size; i++)
 	{
                 b[len++]=toc.Descriptors[i].SessionNumber;
+		if (len == maxlen)  return len;
                 b[len++]=(toc.Descriptors[i].Adr<<4)|toc.Descriptors[i].Control;
+		if (len == maxlen)  return len;
                 b[len++]=0;
+		if (len == maxlen)  return len;
                 b[len++]=toc.Descriptors[i].Reserved1; /*Reserved*/
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].MsfExtra[0];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].MsfExtra[1];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].MsfExtra[2];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].Zero;
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].Msf[0];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].Msf[1];
+		if (len == maxlen)  return len;
 		b[len++]=toc.Descriptors[i].Msf[2];
+		if (len == maxlen)  return len;
 	}
 
 	return len;