input: add sanity checks for buf_size

also improve log spam

rpcs3/Emu/Io/Buzz.cpp

@@ -7,12 +7,11 @@
 
 LOG_CHANNEL(buzz_log);
 
-usb_device_buzz::usb_device_buzz(int first_controller, int last_controller, const std::array<u8, 7>& location)
+usb_device_buzz::usb_device_buzz(u32 first_controller, u32 last_controller, const std::array<u8, 7>& location)
 	: usb_device_emulated(location)
+	, m_first_controller(first_controller)
+	, m_last_controller(last_controller)
 {
-	this->first_controller = first_controller;
-	this->last_controller  = last_controller;
-
 	device        = UsbDescriptorNode(USB_DESCRIPTOR_DEVICE, UsbDeviceDescriptor{0x0200, 0x00, 0x00, 0x00, 0x08, 0x054c, 0x0002, 0x05a1, 0x03, 0x01, 0x00, 0x01});
 	auto& config0 = device.add_node(UsbDescriptorNode(USB_DESCRIPTOR_CONFIG, UsbDeviceConfiguration{0x0022, 0x01, 0x01, 0x00, 0x80, 0x32}));
 	config0.add_node(UsbDescriptorNode(USB_DESCRIPTOR_INTERFACE, UsbDeviceInterface{0x00, 0x00, 0x01, 0x03, 0x00, 0x00, 0x00}));
@@ -34,8 +33,7 @@ void usb_device_buzz::control_transfer(u8 bmRequestType, u8 bRequest, u16 wValue
 	case 0x01:
 	case 0x21:
 	case 0x80:
-		buzz_log.error("Unhandled Query Len: 0x%02X", buf_size);
+		buzz_log.error("Unhandled Query: buf_size=0x%02X, Type=0x%02X, bmRequestType=0x%02X", buf_size, (buf_size > 0) ? buf[0] : -1, bmRequestType);
-		buzz_log.error("Unhandled Query Type: 0x%02X", (buf_size > 0) ? buf[0] : -1);
 		break;
 	default:
 		usb_device_emulated::control_transfer(bmRequestType, bRequest, wValue, wIndex, wLength, buf_size, buf, transfer);
@@ -47,6 +45,9 @@ extern bool is_input_allowed();
 
 void usb_device_buzz::interrupt_transfer(u32 buf_size, u8* buf, u32 /*endpoint*/, UsbTransfer* transfer)
 {
+	const u8 max_index = 2 + (4 + 5 * m_last_controller) / 8;
+	ensure(buf_size > max_index);
+
 	transfer->fake            = true;
 	transfer->expected_count  = 5;
 	transfer->expected_result = HC_CC_NOERR;
@@ -70,17 +71,18 @@ void usb_device_buzz::interrupt_transfer(u32 buf_size, u8* buf, u32 /*endpoint*/
 	std::lock_guard lock(pad::g_pad_mutex);
 	const auto handler = pad::get_current_handler();
 	const auto& pads   = handler->GetPads();
+	ensure(pads.size() > m_last_controller);
 
-	for (int index = 0; index <= (last_controller - first_controller); index++)
+	for (u32 i = m_first_controller, index = 0; i <= m_last_controller; i++, index++)
 	{
-		const auto& pad = pads[first_controller + index];
+		const auto& pad = pads[i];
 
 		if (!(pad->m_port_status & CELL_PAD_STATUS_CONNECTED))
 		{
 			continue;
 		}
 
-		for (Button& button : pad->m_buttons)
+		for (const Button& button : pad->m_buttons)
 		{
 			if (!button.m_pressed)
 			{

rpcs3/Emu/Io/Buzz.h

@@ -4,13 +4,14 @@
 
 class usb_device_buzz : public usb_device_emulated
 {
-	int first_controller;
-	int last_controller;
-
 public:
-	usb_device_buzz(int first_controller, int last_controller, const std::array<u8, 7>& location);
+	usb_device_buzz(u32 first_controller, u32 last_controller, const std::array<u8, 7>& location);
 	~usb_device_buzz();
 
 	void control_transfer(u8 bmRequestType, u8 bRequest, u16 wValue, u16 wIndex, u16 wLength, u32 buf_size, u8* buf, UsbTransfer* transfer) override;
 	void interrupt_transfer(u32 buf_size, u8* buf, u32 endpoint, UsbTransfer* transfer) override;
+
+private:
+	u32 m_first_controller;
+	u32 m_last_controller;
 };

rpcs3/Emu/Io/GHLtar.cpp

@@ -36,7 +36,7 @@ void usb_device_ghltar::control_transfer(u8 bmRequestType, u8 bRequest, u16 wVal
 				// Do nothing here - not sure what it should do.
 				break;
 			default:
-					ghltar_log.error("Unhandled Query Type: 0x%02X", buf[0]);
+				ghltar_log.error("Unhandled Query: buf_size=0x%02X, Type=0x%02X, bRequest=0x%02X, bmRequestType=0x%02X", buf_size, (buf_size > 0) ? buf[0] : -1, bRequest, bmRequestType);
 				break;
 			}
 			break;
@@ -50,6 +50,8 @@ extern bool is_input_allowed();
 
 void usb_device_ghltar::interrupt_transfer(u32 buf_size, u8* buf, u32 /*endpoint*/, UsbTransfer* transfer)
 {
+	ensure(buf_size >= 27);
+
 	transfer->fake            = true;
 	transfer->expected_count  = buf_size;
 	transfer->expected_result = HC_CC_NOERR;

rpcs3/Emu/Io/Skylander.cpp

@@ -159,11 +159,11 @@ u8 sky_portal::load_skylander(u8* buf, fs::file in_file)
 {
 	std::lock_guard lock(sky_mutex);
 
-	u32 sky_serial = read_from_ptr<le_t<u32>>(buf);
+	const u32 sky_serial = read_from_ptr<le_t<u32>>(buf);
 	u8 found_slot  = 0xFF;
 
 	// mimics spot retaining on the portal
-	for (auto i = 0; i < 8; i++)
+	for (u8 i = 0; i < 8; i++)
 	{
 		if ((skylanders[i].status & 1) == 0)
 		{
@@ -182,7 +182,7 @@ u8 sky_portal::load_skylander(u8* buf, fs::file in_file)
 
 	ensure(found_slot != 0xFF);
 
-	auto& thesky = skylanders[found_slot];
+	skylander& thesky = skylanders[found_slot];
 	memcpy(thesky.data.data(), buf, thesky.data.size());
 	thesky.sky_file = std::move(in_file);
 	thesky.status   = 3;
@@ -321,7 +321,9 @@ void usb_device_skylander::control_transfer(u8 bmRequestType, u8 bRequest, u16 w
 				q_queries.push(q_result);
 				break;
 			}
-			default: skylander_log.error("Unhandled Query Type: 0x%02X", buf[0]); break;
+			default:
+				skylander_log.error("Unhandled Query: buf_size=0x%02X, Type=0x%02X, bRequest=0x%02X, bmRequestType=0x%02X", buf_size, (buf_size > 0) ? buf[0] : -1, bRequest, bmRequestType);
+				break;
 			}
 			break;
 		}

rpcs3/Emu/Io/Turntable.cpp

@@ -36,7 +36,7 @@ void usb_device_turntable::control_transfer(u8 bmRequestType, u8 bRequest, u16 w
 				// Do nothing here - not sure what it should do.
 				break;
 			default:
-					turntable_log.error("Unhandled Query Type: 0x%02X", buf[0]);
+				turntable_log.error("Unhandled Query: buf_size=0x%02X, Type=0x%02X, bRequest=0x%02X, bmRequestType=0x%02X", buf_size, (buf_size > 0) ? buf[0] : -1, bRequest, bmRequestType);
 				break;
 			}
 			break;
@@ -48,6 +48,8 @@ void usb_device_turntable::control_transfer(u8 bmRequestType, u8 bRequest, u16 w
 
 void usb_device_turntable::interrupt_transfer(u32 buf_size, u8* buf, u32 /*endpoint*/, UsbTransfer* transfer)
 {
+	ensure(buf_size >= 27);
+
 	transfer->fake            = true;
 	transfer->expected_count  = buf_size;
 	transfer->expected_result = HC_CC_NOERR;