Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Buffer Overflow in Options -> Controls ->Control Mapping (debug x64 windows) #19050

Open
GermanAizek opened this issue Apr 12, 2024 · 2 comments
Open

Buffer Overflow in Options -> Controls ->Control Mapping (debug x64 windows) #19050

GermanAizek opened this issue Apr 12, 2024 · 2 comments
Labels
User Interface PPSSPP's own user interface / UX
Milestone
v1.18.0

Comments

@GermanAizek
Copy link
Contributor

GermanAizek commented Apr 12, 2024
edited

@hrydgard, I just started debug build and wanted to reassign buttons, but my curCat turned out to be number 3 (Extended PSP controls), and at + 1 it went beyond array boundary, as I understood.

image

image
@GermanAizek GermanAizek changed the title [Vulnerability] Global Buffer Overflow in Options ->Manage Keys (debug x64 windows) [Vulnerability] Global Buffer Overflow in Options ->Control Mapping (debug x64 windows) Apr 12, 2024
@GermanAizek GermanAizek changed the title [Vulnerability] Global Buffer Overflow in Options ->Control Mapping (debug x64 windows) [Vulnerability] Global Buffer Overflow in Options -> Controls ->Control Mapping (debug x64 windows) Apr 12, 2024
@GermanAizek
Copy link
Contributor Author

GermanAizek commented Apr 12, 2024
edited

@hrydgard, correct way is to make std::vector with fixed size and do not use direct acess by index + 1.

My fast cringe patch:

  1. Append fourth category controls nullable.
  2. Check on NULL catName, firstKey or open and access compare
// Category name, first input from psp_button_names.
static const Cat cats[] = {
	{"Standard PSP controls", CTRL_UP, &categoryToggles_[0]},
	{"Control modifiers", VIRTKEY_ANALOG_ROTATE_CW, &categoryToggles_[1]},
	{"Emulator controls", VIRTKEY_FASTFORWARD, &categoryToggles_[2]},
	{"Extended PSP controls", VIRTKEY_AXIS_RIGHT_Y_MAX, &categoryToggles_[3]},
	{NULL, NULL, NULL}
};

int curCat = -1;
CollapsibleSection *curSection = nullptr;
for (size_t i = 0; i < numMappableKeys; i++) {
	if (curCat < (int)ARRAY_SIZE(cats) && (cats[curCat + 1].catName != NULL && mappableKeys[i].key == cats[curCat + 1].firstKey)) {
		if (curCat >= 0) {
			curSection->SetOpenPtr(cats[curCat].open);
		}
		curCat++;

                ...

@hrydgard
Copy link
Owner

hrydgard commented Apr 12, 2024
edited

Hm, you're right, it's a bug. I don't think a vector is necessary here, I prefer the extra line with NULLs.

By the way, I removed the "Vulnerability" tag because I can't see a way to use this for anything nefarious. It could lead to crashes though indeed.

@hrydgard hrydgard changed the title [Vulnerability] Global Buffer Overflow in Options -> Controls ->Control Mapping (debug x64 windows) Buffer Overflow in Options -> Controls ->Control Mapping (debug x64 windows) Apr 12, 2024
@hrydgard hrydgard added the User Interface PPSSPP's own user interface / UX label Apr 12, 2024
@hrydgard hrydgard added this to the v1.18.0 milestone Apr 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
User Interface PPSSPP's own user interface / UX
Projects
None yet
Milestone
v1.18.0
Development

No branches or pull requests
2 participants
@hrydgard @GermanAizek