nvhost_gpu: Added checks to ensure we don't read past the end of the entries when handling a GPU command list.

author: Subv <subv2112@gmail.com> 2018-07-30 20:09:13 -0500
committer: Subv <subv2112@gmail.com> 2018-07-30 20:09:13 -0500
commit: e119e17d1824cbc41153d8f55d81b76b3da438f6 (patch)
tree: c5d6a836d03be566f4efa3679482589d7f5bc644 /src
parent: 2482aca7c32679339b2c79cb7f1d46234539a9ef (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp b/src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp
index 126782573..5a1123ad2 100644
--- a/src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp
+++ b/src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp
@@ -132,9 +132,12 @@ u32 nvhost_gpu::SubmitGPFIFO(const std::vector<u8>& input, std::vector<u8>& outp
     LOG_WARNING(Service_NVDRV, "(STUBBED) called, gpfifo={:X}, num_entries={:X}, flags={:X}",
                 params.address, params.num_entries, params.flags);
 
-    auto entries = std::vector<IoctlGpfifoEntry>();
-    entries.resize(params.num_entries);
-    std::memcpy(&entries[0], &input.data()[sizeof(IoctlSubmitGpfifo)],
+    ASSERT_MSG(input.size() ==
+                   sizeof(IoctlSubmitGpfifo) + params.num_entries * sizeof(IoctlGpfifoEntry),
+               "Incorrect input size");
+
+    std::vector<IoctlGpfifoEntry> entries(params.num_entries);
+    std::memcpy(entries.data(), &input[sizeof(IoctlSubmitGpfifo)],
                 params.num_entries * sizeof(IoctlGpfifoEntry));
     for (auto entry : entries) {
         Tegra::GPUVAddr va_addr = entry.Address();
author	Subv <subv2112@gmail.com>	2018-07-30 20:09:13 -0500
committer	Subv <subv2112@gmail.com>	2018-07-30 20:09:13 -0500
commit	e119e17d1824cbc41153d8f55d81b76b3da438f6 (patch)
tree	c5d6a836d03be566f4efa3679482589d7f5bc644 /src
parent	2482aca7c32679339b2c79cb7f1d46234539a9ef (diff)