Made sure the CopyQM reading code does not overflow the allocated buffer.
This commit is contained in:
OBattler
@@ -349,16 +349,34 @@ void img_load(int drive, char *fn)
|
|||||||
{
|
{
|
||||||
rep_byte = fgetc(img[drive].f);
|
rep_byte = fgetc(img[drive].f);
|
||||||
block_len = -block_len;
|
block_len = -block_len;
|
||||||
|
if (img[drive].cqm_data + cur_pos + block_len) > ((uint32_t) bpb_total) * ((uint32_t) bpb_bps))
|
||||||
|
{
|
||||||
|
block_len = ((uint32_t) bpb_total) * ((uint32_t) bpb_bps) - (img[drive].cqm_data + cur_pos);
|
||||||
|
memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
|
memset(img[drive].cqm_data + cur_pos, rep_byte, block_len);
|
||||||
cur_pos += block_len;
|
cur_pos += block_len;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
else if (block_len > 0)
|
else if (block_len > 0)
|
||||||
|
{
|
||||||
|
if (img[drive].cqm_data + cur_pos + block_len) > ((uint32_t) bpb_total) * ((uint32_t) bpb_bps))
|
||||||
|
{
|
||||||
|
block_len = ((uint32_t) bpb_total) * ((uint32_t) bpb_bps) - (img[drive].cqm_data + cur_pos);
|
||||||
|
fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
else
|
||||||
{
|
{
|
||||||
fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
|
fread(img[drive].cqm_data + cur_pos, 1, block_len, img[drive].f);
|
||||||
cur_pos += block_len;
|
cur_pos += block_len;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
printf("Finished reading CopyQM image data\n");
|
printf("Finished reading CopyQM image data\n");
|
||||||
|
|
||||||
cqm = 1;
|
cqm = 1;
|
||||||
|
|||||||
Reference in New Issue
Block a user