search

gonetz / GLideN64

A new generation, open-source graphics plugin for N64 emulators.
Other
754 stars 175 forks source link

Fix out of bounds read/write in gDPLoadTile #2719

Closed Rosalie241 closed 1 year ago

Rosalie241 commented 1 year ago

A RMG user reported a crash in the game Castlevania: Legacy of Darkness (Europe version), see https://github.com/Rosalie241/RMG/issues/57

When investigating the crash, I discovered it crashes here:

#0  UnswapCopyWrap (src=0x7fff9bff0000 "\t\200\032<\300\177Z'\b", srcIdx=602918913, dest=0x7fffcde7f020 <TMEM> "", 
    destIdx=594530256, destMask=4095, numBytes=4294967247)
    at /home/rosalie/dev/RMG/Build/Debug/Source/3rdParty/mupen64plus-video-GLideN64/src/convert.cpp:124
        leadingBytes = 0
        numDWords = 925109246
        trailingBytes = 32767
#1  0x00007fffcdb281ed in gDPLoadTile (tile=7, uls=96, ult=1920, lrs=2012, lrt=1932)
    at /home/rosalie/dev/RMG/Build/Debug/Source/3rdParty/mupen64plus-video-GLideN64/src/gDP.cpp:564
        y = 0
        tmemAddr = 0
        line = 120
        qwpr = 120
        width = 480
        height = 4
        bpl = 960
        alignedWidth = 480
        wmask = 3
        bpr = 960
        info = @0x7fffcde7a6b8: {size = 2 '\002', loadType = 1 '\001', uls = 24, ult = 480, lrs = 503, lrt = 483, 
          width = 480, height = 4, texWidth = 640, texAddress = 7774208, dxt = 2048, bytes = 3840}
        address = 8388656
        bpl2 = 960
        height2 = 4294967168

I discovered an out of bounds read/write in gDPLoadTile, more specifically, it seems that whenever address > RDRAMSize is true, it'll crash. I'm unsure if this a correct fix but it does fix the crash.

gonetz commented 1 year ago

When investigating the crash, I discovered it crashes here:

The fix looks correct, but I'll check the problem first. Thanks!