Commit 0087c9b9 authored by nanahira's avatar nanahira Committed by GitHub

fix CVE-2020-24213 (#2327)

parent 01bb8e67
......@@ -288,7 +288,8 @@ void SingleDuel::UpdateDeck(DuelPlayer* dp, void* pdata, unsigned int len) {
int mainc = BufferIO::ReadInt32(deckbuf);
int sidec = BufferIO::ReadInt32(deckbuf);
// verify data
if((unsigned)mainc + (unsigned)sidec > (len - 8) / 4) {
const unsigned int possibleMaxLength = (len - 8) / 4;
if((unsigned)mainc > possibleMaxLength || (unsigned)sidec > possibleMaxLength || (unsigned)mainc + (unsigned)sidec > possibleMaxLength) {
STOC_ErrorMsg scem;
scem.msg = ERRMSG_DECKERROR;
scem.code = 0;
......
......@@ -263,7 +263,8 @@ void TagDuel::UpdateDeck(DuelPlayer* dp, void* pdata, unsigned int len) {
int mainc = BufferIO::ReadInt32(deckbuf);
int sidec = BufferIO::ReadInt32(deckbuf);
// verify data
if((unsigned)mainc + (unsigned)sidec > (len - 8) / 4) {
const unsigned int possibleMaxLength = (len - 8) / 4;
if((unsigned)mainc > possibleMaxLength || (unsigned)sidec > possibleMaxLength || (unsigned)mainc + (unsigned)sidec > possibleMaxLength) {
STOC_ErrorMsg scem;
scem.msg = ERRMSG_DECKERROR;
scem.code = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment