Fix crash on load due to buffer overrun in gba cart loader (nw)

2025-04-21 07:52:35 +03:00 · 2016-03-16 16:55:22 -04:00 · 2016-03-16 16:55:22 -04:00 · 3326bc6fab
commit 3326bc6fab
parent e89f4ae6ba
1 changed files with 6 additions and 6 deletions
--- a/src/devices/bus/gba/gba_slot.cpp
+++ b/src/devices/bus/gba/gba_slot.cpp
@ -295,17 +295,17 @@ int gba_cart_slot_device::get_cart_type(UINT8 *ROM, UINT32 len)
 	// first detect nvram type based on strings inside the file
 	for (int i = 0; i < len; i++)
 	{
-		if (!memcmp(&ROM[i], "EEPROM_V", 8))
+		if ((i<len-8) && !memcmp(&ROM[i], "EEPROM_V", 8))
 			chip |= GBA_CHIP_EEPROM; // should be either GBA_CHIP_EEPROM_4K or GBA_CHIP_EEPROM_64K, but it is not yet possible to automatically detect which one
-		else if ((!memcmp(&ROM[i], "SRAM_V", 6)) || (!memcmp(&ROM[i], "SRAM_F_V", 8))) // || (!memcmp(&data[i], "ADVANCEWARS", 11))) //advance wars 1 & 2 has SRAM, but no "SRAM_" string can be found inside the ROM space
+		else if (((i<len-6) && !memcmp(&ROM[i], "SRAM_V", 6)) || ((i<len-8) && !memcmp(&ROM[i], "SRAM_F_V", 8))) // || ((i<len-11) && !memcmp(&data[i], "ADVANCEWARS", 11))) //advance wars 1 & 2 has SRAM, but no "SRAM_" string can be found inside the ROM space
 			chip |= GBA_CHIP_SRAM;
-		else if (!memcmp(&ROM[i], "FLASH1M_V", 9))
+		else if ((i<len-9) && !memcmp(&ROM[i], "FLASH1M_V", 9))
 			chip |= GBA_CHIP_FLASH_1M;
-		else if (!memcmp(&ROM[i], "FLASH512_V", 10))
+		else if ((i<len-10) && !memcmp(&ROM[i], "FLASH512_V", 10))
 			chip |= GBA_CHIP_FLASH_512;
-		else if (!memcmp(&ROM[i], "FLASH_V", 7))
+		else if ((i<len-7) && !memcmp(&ROM[i], "FLASH_V", 7))
 			chip |= GBA_CHIP_FLASH;
-		else if (!memcmp(&ROM[i], "SIIRTC_V", 8))
+		else if ((i<len-8) && !memcmp(&ROM[i], "SIIRTC_V", 8))
 			chip |= GBA_CHIP_RTC;
 	}
 	osd_printf_info("GBA: Detected (ROM) %s\n", gba_chip_string(chip).c_str());