From 19329fe7c7cdefecd6db5c28da80f5611fc9e6ce Mon Sep 17 00:00:00 2001 From: Brad Parker Date: Sat, 15 Sep 2018 01:21:03 -0400 Subject: [PATCH] prevent out of bound array access for unmapped input binds --- input/input_mapper.c | 32 ++++++++++++++++++-------------- menu/cbs/menu_cbs_get_value.c | 8 +++----- menu/cbs/menu_cbs_left.c | 13 ++++++++----- menu/cbs/menu_cbs_right.c | 11 +++++++---- 4 files changed, 36 insertions(+), 28 deletions(-) diff --git a/input/input_mapper.c b/input/input_mapper.c index c9c6937a9b..4e9484e237 100644 --- a/input/input_mapper.c +++ b/input/input_mapper.c @@ -117,7 +117,7 @@ void input_mapper_poll(input_mapper_t *handle) input_get_state_for_port(settings, i, ¤t_input); for (j = 0; j < RARCH_CUSTOM_BIND_LIST_END; j++) { - unsigned remap_button = + unsigned remap_button = settings->uints.input_keymapper_ids[i][j]; bool remap_valid = remap_button != RETROK_UNKNOWN; @@ -137,7 +137,7 @@ void input_mapper_poll(input_mapper_t *handle) 0, 0, RETRO_DEVICE_KEYBOARD); key_event[j] = true; } - /* key_event tracks if a key is pressed for ANY PLAYER, so we must check + /* key_event tracks if a key is pressed for ANY PLAYER, so we must check if the key was used by any player before releasing */ else if (!key_event[j]) { @@ -152,10 +152,10 @@ void input_mapper_poll(input_mapper_t *handle) /* gamepad remapping */ case RETRO_DEVICE_JOYPAD: case RETRO_DEVICE_ANALOG: - /* this loop iterates on all users and all buttons, - * and checks if a pressed button is assigned to any - * other button than the default one, then it sets - * the bit on the mapper input bitmap, later on the + /* this loop iterates on all users and all buttons, + * and checks if a pressed button is assigned to any + * other button than the default one, then it sets + * the bit on the mapper input bitmap, later on the * original input is cleared in input_state */ BIT256_CLEAR_ALL(handle->buttons[i]); BIT256_CLEAR_ALL_PTR(¤t_input); @@ -194,7 +194,7 @@ void input_mapper_poll(input_mapper_t *handle) invert = -1; handle->analog_value[i][ - remap_button - RARCH_FIRST_CUSTOM_BIND] = + remap_button - RARCH_FIRST_CUSTOM_BIND] = 32767 * invert; } } @@ -204,7 +204,7 @@ void input_mapper_poll(input_mapper_t *handle) { unsigned k = j + RARCH_FIRST_CUSTOM_BIND; int16_t current_axis_value = current_input.analogs[j]; - unsigned remap_axis = + unsigned remap_axis = settings->uints.input_remap_ids[i][k]; if ( @@ -213,7 +213,7 @@ void input_mapper_poll(input_mapper_t *handle) (remap_axis != RARCH_UNMAPPED) )) { - if (remap_axis < RARCH_FIRST_CUSTOM_BIND && + if (remap_axis < RARCH_FIRST_CUSTOM_BIND && abs(current_axis_value) > *input_driver_get_float(INPUT_ACTION_AXIS_THRESHOLD) * 32767) { BIT256_SET(handle->buttons[i], remap_axis); @@ -221,18 +221,22 @@ void input_mapper_poll(input_mapper_t *handle) else { int invert = 1; + unsigned remap_axis_bind = remap_axis - RARCH_FIRST_CUSTOM_BIND; - if ( (k % 2 == 0 && remap_axis % 2 != 0) || + if ( (k % 2 == 0 && remap_axis % 2 != 0) || (k % 2 != 0 && remap_axis % 2 == 0) ) invert = -1; - handle->analog_value[i][ - remap_axis - RARCH_FIRST_CUSTOM_BIND] = - current_axis_value * invert; + if (remap_axis_bind < sizeof(handle->analog_value[i])) + { + handle->analog_value[i][ + remap_axis_bind] = + current_axis_value * invert; + } #if 0 RARCH_LOG("axis %d(%d) remapped to axis %d val %d\n", - j, k, + j, k, remap_axis - RARCH_FIRST_CUSTOM_BIND, current_axis_value); #endif diff --git a/menu/cbs/menu_cbs_get_value.c b/menu/cbs/menu_cbs_get_value.c index 4c9aaec8cd..3da936156f 100644 --- a/menu/cbs/menu_cbs_get_value.c +++ b/menu/cbs/menu_cbs_get_value.c @@ -603,14 +603,12 @@ static void menu_action_setting_disp_set_label_input_desc( remap_idx = settings->uints.input_remap_ids[user_idx][btn_idx]; -/* - if (remap_idx == RARCH_UNMAPPED) - settings->uints.input_remap_ids[user_idx][btn_idx] = RARCH_UNMAPPED; -*/ + if (!system) return; - descriptor = system->input_desc_btn[user_idx][remap_idx]; + if (remap_idx != RARCH_UNMAPPED) + descriptor = system->input_desc_btn[user_idx][remap_idx]; if (!string_is_empty(descriptor) && remap_idx < RARCH_FIRST_CUSTOM_BIND) strlcpy(s, descriptor, len); diff --git a/menu/cbs/menu_cbs_left.c b/menu/cbs/menu_cbs_left.c index 28613bcf81..29c6285c39 100644 --- a/menu/cbs/menu_cbs_left.c +++ b/menu/cbs/menu_cbs_left.c @@ -321,7 +321,7 @@ static int shader_action_parameter_left(unsigned type, const char *label, bool w video_shader_driver_get_current_shader(&shader_info); param_prev = &shader_info.data->parameters[type - MENU_SETTINGS_SHADER_PARAMETER_0]; - param_menu = shader ? &shader->parameters[type - + param_menu = shader ? &shader->parameters[type - MENU_SETTINGS_SHADER_PARAMETER_0] : NULL; if (!param_prev || !param_menu) @@ -338,7 +338,7 @@ static int audio_mixer_stream_volume_left(unsigned type, const char *label, { unsigned offset = (type - MENU_SETTINGS_AUDIO_MIXER_STREAM_ACTIONS_VOLUME_BEGIN); float orig_volume = 0.0f; - + if (offset >= AUDIO_MIXER_MAX_STREAMS) return 0; @@ -385,9 +385,12 @@ static int action_left_input_desc(unsigned type, const char *label, /* skip the not used buttons (unless they are at the end by calling the right desc function recursively also skip all the axes until analog remapping is implemented */ - if ((string_is_empty(system->input_desc_btn[user_idx][remap_idx]) && remap_idx < RARCH_CUSTOM_BIND_LIST_END) /*|| - (remap_idx >= RARCH_FIRST_CUSTOM_BIND && remap_idx < RARCH_CUSTOM_BIND_LIST_END)*/) - action_left_input_desc(type, label, wraparound); + if (remap_idx != RARCH_UNMAPPED) + { + if ((string_is_empty(system->input_desc_btn[user_idx][remap_idx]) && remap_idx < RARCH_CUSTOM_BIND_LIST_END) /*|| + (remap_idx >= RARCH_FIRST_CUSTOM_BIND && remap_idx < RARCH_CUSTOM_BIND_LIST_END)*/) + action_left_input_desc(type, label, wraparound); + } return 0; } diff --git a/menu/cbs/menu_cbs_right.c b/menu/cbs/menu_cbs_right.c index 47c168775e..1a2caabdc6 100644 --- a/menu/cbs/menu_cbs_right.c +++ b/menu/cbs/menu_cbs_right.c @@ -157,9 +157,12 @@ int action_right_input_desc(unsigned type, const char *label, /* skip the not used buttons (unless they are at the end by calling the right desc function recursively also skip all the axes until analog remapping is implemented */ - if ((string_is_empty(system->input_desc_btn[user_idx][remap_idx]) && remap_idx < RARCH_CUSTOM_BIND_LIST_END) /*|| - (remap_idx >= RARCH_FIRST_CUSTOM_BIND && remap_idx < RARCH_CUSTOM_BIND_LIST_END)*/) - action_right_input_desc(type, label, wraparound); + if (remap_idx != RARCH_UNMAPPED) + { + if ((string_is_empty(system->input_desc_btn[user_idx][remap_idx]) && remap_idx < RARCH_CUSTOM_BIND_LIST_END) /*|| + (remap_idx >= RARCH_FIRST_CUSTOM_BIND && remap_idx < RARCH_CUSTOM_BIND_LIST_END)*/) + action_right_input_desc(type, label, wraparound); + } #if 0 int i = 0; @@ -205,7 +208,7 @@ static int audio_mixer_stream_volume_right(unsigned type, const char *label, { unsigned offset = (type - MENU_SETTINGS_AUDIO_MIXER_STREAM_ACTIONS_VOLUME_BEGIN); float orig_volume = 0.0f; - + if (offset >= AUDIO_MIXER_MAX_STREAMS) return 0;