Bug#930463: mednafen: potential unchecked memory access in the Lynx emulator
Stephen Kitt
skitt at debian.org
Thu Jun 13 07:45:36 BST 2019
Package: mednafen
Version: 0.9.41+dfsg-2+b1
Severity: serious
Tags: patch security
Justification: security
Dear Maintainer,
(Note for the security team: this has been published in the 1.22.2
upstream release. I’m not aware of any exploit for this issue. This is
qualified as a potential security issue by upstream, hence the
“serious” severity rather than grave. The patch applies to both the
Stretch and Buster versions.)
Upstream fixed a potential unchecked memory access in the Lynx
emulator in the latest release of Mednafen; the attached patch fixes
it.
Regards,
Stephen
-- System Information:
Debian Release: 9.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'unstable-debug'), (100, 'testing-debug'), (100, 'unstable'), (100, 'testing'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-9-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mednafen depends on:
ii libasound2 1.1.3-5
ii libc6 2.24-11+deb9u4
ii libgcc1 1:6.3.0-18+deb9u1
ii libjack-jackd2-0 [libjack-0.125] 1.9.10+20150825git1ed50c92~dfsg-5
ii libmpcdec6 2:0.1~r495-1+b1
ii libsdl1.2debian 1.2.15+dfsg1-4
ii libsndfile1 1.0.27-3
ii libstdc++6 6.3.0-18+deb9u1
ii libtrio2 1.16+dfsg1-3+b2
ii libvorbisidec1 1.0.2+svn18153-1+deb9u1
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages mednafen recommends:
ii mednaffe 0.8.4-1+b1
mednafen suggests no packages.
-- no debconf information
-------------- next part --------------
diff -rupN 1.22.1/src/lynx/ram.h 1.22.2/src/lynx/ram.h
--- 1.22.1/src/lynx/ram.h 2019-01-27 22:52:37.000000000 -0800
+++ 1.22.2/src/lynx/ram.h 2019-04-23 14:54:58.000000000 -0700
@@ -65,8 +65,8 @@ class CRam : public CLynxBase
void Reset(void) MDFN_COLD;
- void Poke(uint32 addr, uint8 data){ mRamData[addr]=data;};
- uint8 Peek(uint32 addr){ return(mRamData[addr]);};
+ void Poke(uint32 addr, uint8 data){ mRamData[(uint16)addr]=data;};
+ uint8 Peek(uint32 addr){ return(mRamData[(uint16)addr]);};
uint32 ReadCycle(void) {return 5;};
uint32 WriteCycle(void) {return 5;};
uint32 ObjectSize(void) {return RAM_SIZE;};
diff -rupN 1.22.1/src/lynx/susie.cpp 1.22.2/src/lynx/susie.cpp
--- 1.22.1/src/lynx/susie.cpp 2019-01-27 22:52:37.000000000 -0800
+++ 1.22.2/src/lynx/susie.cpp 2019-04-23 14:54:58.000000000 -0700
@@ -58,13 +58,9 @@
// wa can access this directly without the hassle of
// going through the system object, much faster
//
-//#define RAM_PEEK(m) (mSystem.Peek_RAM((m)))
-//#define RAM_POKE(m1,m2) (mSystem.Poke_RAM((m1),(m2)))
-//#define RAM_PEEKW(m) (mSystem.PeekW_RAM((m)))
-
-#define RAM_PEEK(m) (mRamPointer[(m)])
-#define RAM_PEEKW(m) (mRamPointer[(m)]+(mRamPointer[(m)+1]<<8))
-#define RAM_POKE(m1,m2) {mRamPointer[(m1)]=(m2);}
+#define RAM_PEEK(m) (mRamPointer[(uint16)(m)])
+#define RAM_PEEKW(m) (mRamPointer[(uint16)(m)]+(mRamPointer[(uint16)((m)+1)]<<8))
+#define RAM_POKE(m1,m2) {mRamPointer[(uint16)(m1)]=(m2);}
uint32 cycles_used=0;
@@ -838,7 +834,7 @@ uint32 CSusie::PaintSprites(void)
INLINE void CSusie::WritePixel(uint32 hoff,uint32 pixel)
{
- uint32 scr_addr=mLineBaseAddress+(hoff/2);
+ const uint16 scr_addr=mLineBaseAddress+(hoff/2);
uint8 dest=RAM_PEEK(scr_addr);
if(!(hoff&0x01))
@@ -861,7 +857,7 @@ INLINE void CSusie::WritePixel(uint32 ho
INLINE uint32 CSusie::ReadPixel(uint32 hoff)
{
- uint32 scr_addr=mLineBaseAddress+(hoff/2);
+ const uint16 scr_addr=mLineBaseAddress+(hoff/2);
uint32 data=RAM_PEEK(scr_addr);
if(!(hoff&0x01))
@@ -883,7 +879,7 @@ INLINE uint32 CSusie::ReadPixel(uint32 h
INLINE void CSusie::WriteCollision(uint32 hoff,uint32 pixel)
{
- uint32 col_addr=mLineCollisionAddress+(hoff/2);
+ const uint16 col_addr=mLineCollisionAddress+(hoff/2);
uint8 dest=RAM_PEEK(col_addr);
if(!(hoff&0x01))
@@ -906,7 +902,7 @@ INLINE void CSusie::WriteCollision(uint3
INLINE uint32 CSusie::ReadCollision(uint32 hoff)
{
- uint32 col_addr=mLineCollisionAddress+(hoff/2);
+ const uint16 col_addr=mLineCollisionAddress+(hoff/2);
uint32 data=RAM_PEEK(col_addr);
if(!(hoff&0x01))
diff -rupN 1.22.1/src/lynx/sysbase.h 1.22.2/src/lynx/sysbase.h
--- 1.22.1/src/lynx/sysbase.h 2019-01-27 22:52:37.000000000 -0800
+++ 1.22.2/src/lynx/sysbase.h 2019-04-23 14:54:58.000000000 -0700
@@ -61,11 +61,6 @@ class CSystemBase
virtual void PokeW_CPU(uint32 addr,uint16 data)=0;
virtual uint16 PeekW_CPU(uint32 addr)=0;
- virtual void Poke_RAM(uint32 addr,uint8 data)=0;
- virtual uint8 Peek_RAM(uint32 addr)=0;
- virtual void PokeW_RAM(uint32 addr,uint16 data)=0;
- virtual uint16 PeekW_RAM(uint32 addr)=0;
-
virtual uint8* GetRamPointer(void)=0;
};
diff -rupN 1.22.1/src/lynx/system.h 1.22.2/src/lynx/system.h
--- 1.22.1/src/lynx/system.h 2019-01-27 22:52:37.000000000 -0800
+++ 1.22.2/src/lynx/system.h 2019-04-23 14:54:58.000000000 -0700
@@ -158,14 +158,6 @@ class CSystem : public CSystemBase
inline void PokeW_CPU(uint32 addr,uint16 data) { mMemoryHandlers[addr]->Poke(addr,data&0xff);addr++;mMemoryHandlers[addr]->Poke(addr,data>>8);};
inline uint16 PeekW_CPU(uint32 addr) {return ((mMemoryHandlers[addr]->Peek(addr))+(mMemoryHandlers[addr]->Peek(addr+1)<<8));};
- //
- // RAM
- //
- inline void Poke_RAM(uint32 addr, uint8 data) { mRam->Poke(addr,data);};
- inline uint8 Peek_RAM(uint32 addr) { return mRam->Peek(addr);};
- inline void PokeW_RAM(uint32 addr,uint16 data) { mRam->Poke(addr,data&0xff);addr++;mRam->Poke(addr,data>>8);};
- inline uint16 PeekW_RAM(uint32 addr) {return ((mRam->Peek(addr))+(mRam->Peek(addr+1)<<8));};
-
// High level cart access for debug etc
inline void Poke_CART(uint32 addr, uint8 data) {mCart->Poke(addr,data);};
More information about the Pkg-games-devel
mailing list