gbdev/rgbds
1
0
Fork 0
mirror of https://github.com/gbdev/rgbds.git synced 2025-11-20 10:12:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix buffer overflow when creating patches with long RPN expressions

Browse Source 
The createpatch() function was using a fixed-size buffer. I've changed it
to be dynamically allocated. I saw that the RPN format used in patches is
slightly different from the one used internally in the assembler, so I
added a new member to the Expression struct to track the patch size.

I've also limited the RPN expression length to 1MB. I realized that the
patch RPN expression could potentially be longer than the internal RPN
expression, so the internal expression would need a limit smaller than
UINT32_MAX. I thought 1MB would be a reasonable limit.
This commit is contained in:
dbrotz
2019-06-11 09:35:57 -07:00
parent 54e5bf0f0c
commit 015d2b0830
6 changed files with 91 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
include/asm/rpn.h
View File

@@ -11,11 +11,14 @@
#include <stdint.h>
#define MAXRPNLEN 1048576
struct Expression {
int32_t nVal;
uint8_t *tRPN;
uint32_t nRPNCapacity;
uint32_t nRPNLength;
uint32_t nRPNPatchSize;
uint32_t nRPNOut;
uint32_t isReloc;
};