Max/SameBoy
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

value_to_string: use snprintf

Browse Source 
Currently, value_to_string and debugger_value_to_string use an
error-prone calculation to avoid overflow. This was once adjusted
already, and one of the codepaths is still vulnerable. Put this in a
symfile:

    01:5678 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

and execute `p 1:$5679`. On Linux, the canary terminates the process.
This commit is contained in:
Jakub Kądziołka 2021-02-27 19:33:31 +01:00
parent 54d733f356
commit c9665d0449
No known key found for this signature in database
GPG Key ID: E315A75846131564
1 changed files with 10 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Core/debugger.c
View File

@ -131,30 +131,25 @@ static const char *value_to_string(GB_gameboy_t *gb, uint16_t value, bool prefer
symbol = NULL; symbol = NULL;
} }
/* Avoid overflow */
if (symbol && strlen(symbol->name) >= 240) {
symbol = NULL;
}
if (!symbol) { if (!symbol) {
sprintf(output, "$%04x", value); snprintf(output, sizeof output, "$%04x", value);
} }
else if (symbol->addr == value) { else if (symbol->addr == value) {
if (prefer_name) { if (prefer_name) {
sprintf(output, "%s ($%04x)", symbol->name, value); snprintf(output, sizeof output, "%s ($%04x)", symbol->name, value);
} }
else { else {
sprintf(output, "$%04x (%s)", value, symbol->name); snprintf(output, sizeof output, "$%04x (%s)", value, symbol->name);
} }
} }
else { else {
if (prefer_name) { if (prefer_name) {
sprintf(output, "%s+$%03x ($%04x)", symbol->name, value - symbol->addr, value); snprintf(output, sizeof output, "%s+$%03x ($%04x)", symbol->name, value - symbol->addr, value);
} }
else { else {
sprintf(output, "$%04x (%s+$%03x)", value, symbol->name, value - symbol->addr); snprintf(output, sizeof output, "$%04x (%s+$%03x)", value, symbol->name, value - symbol->addr);
} }
} }
return output; return output;
@ -171,30 +166,25 @@ static const char *debugger_value_to_string(GB_gameboy_t *gb, value_t value, boo
symbol = NULL; symbol = NULL;
} }
/* Avoid overflow */
if (symbol && strlen(symbol->name) >= 240) {
symbol = NULL;
}
if (!symbol) { if (!symbol) {
sprintf(output, "$%02x:$%04x", value.bank, value.value); snprintf(output, sizeof output, "$%02x:$%04x", value.bank, value.value);
} }
else if (symbol->addr == value.value) { else if (symbol->addr == value.value) {
if (prefer_name) { if (prefer_name) {
sprintf(output, "%s ($%02x:$%04x)", symbol->name, value.bank, value.value); snprintf(output, sizeof output, "%s ($%02x:$%04x)", symbol->name, value.bank, value.value);
} }
else { else {
sprintf(output, "$%02x:$%04x (%s)", value.bank, value.value, symbol->name); snprintf(output, sizeof output, "$%02x:$%04x (%s)", value.bank, value.value, symbol->name);
} }
} }
else { else {
if (prefer_name) { if (prefer_name) {
sprintf(output, "%s+$%03x ($%02x:$%04x)", symbol->name, value.value - symbol->addr, value.bank, value.value); snprintf(output, sizeof output, "%s+$%03x ($%02x:$%04x)", symbol->name, value.value - symbol->addr, value.bank, value.value);
} }
else { else {
sprintf(output, "$%02x:$%04x (%s+$%03x)", value.bank, value.value, symbol->name, value.value - symbol->addr); snprintf(output, sizeof output, "$%02x:$%04x (%s+$%03x)", value.bank, value.value, symbol->name, value.value - symbol->addr);
} }
} }
return output; return output;