fix CVE-2020-24213

3587d3bc · nanahira · 5893ab80 · 3587d3bc · 3587d3bc
Commit 3587d3bc authored Dec 01, 2020 by nanahira
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

gframe/single_duel.cpp gframe/single_duel.cpp +2 -1

gframe/tag_duel.cpp gframe/tag_duel.cpp +2 -1

No files found.
--- a/gframe/single_duel.cpp
+++ b/gframe/single_duel.cpp
@@ -288,7 +288,8 @@ void SingleDuel::UpdateDeck(DuelPlayer* dp, void* pdata, unsigned int len) {
 	int mainc = BufferIO::ReadInt32(deckbuf);
 	int sidec = BufferIO::ReadInt32(deckbuf);
 	// verify data
-	if((unsigned)mainc + (unsigned)sidec > (len - 8) / 4) {
+	const unsigned int possibleMaxLength = (len - 8) / 4;
+	if((unsigned)mainc > possibleMaxLength || (unsigned)sidec > possibleMaxLength || (unsigned)mainc + (unsigned)sidec > possibleMaxLength) {
 		STOC_ErrorMsg scem;
 		scem.msg = ERRMSG_DECKERROR;
 		scem.code = 0;

--- a/gframe/tag_duel.cpp
+++ b/gframe/tag_duel.cpp
@@ -263,7 +263,8 @@ void TagDuel::UpdateDeck(DuelPlayer* dp, void* pdata, unsigned int len) {
 	int mainc = BufferIO::ReadInt32(deckbuf);
 	int sidec = BufferIO::ReadInt32(deckbuf);
 	// verify data
-	if((unsigned)mainc + (unsigned)sidec > (len - 8) / 4) {
+	const unsigned int possibleMaxLength = (len - 8) / 4;
+	if((unsigned)mainc > possibleMaxLength || (unsigned)sidec > possibleMaxLength || (unsigned)mainc + (unsigned)sidec > possibleMaxLength) {
 		STOC_ErrorMsg scem;
 		scem.msg = ERRMSG_DECKERROR;
 		scem.code = 0;