Commit 3587d3bc authored by nanahira's avatar nanahira

fix CVE-2020-24213

parent 5893ab80
...@@ -288,7 +288,8 @@ void SingleDuel::UpdateDeck(DuelPlayer* dp, void* pdata, unsigned int len) { ...@@ -288,7 +288,8 @@ void SingleDuel::UpdateDeck(DuelPlayer* dp, void* pdata, unsigned int len) {
int mainc = BufferIO::ReadInt32(deckbuf); int mainc = BufferIO::ReadInt32(deckbuf);
int sidec = BufferIO::ReadInt32(deckbuf); int sidec = BufferIO::ReadInt32(deckbuf);
// verify data // verify data
if((unsigned)mainc + (unsigned)sidec > (len - 8) / 4) { const unsigned int possibleMaxLength = (len - 8) / 4;
if((unsigned)mainc > possibleMaxLength || (unsigned)sidec > possibleMaxLength || (unsigned)mainc + (unsigned)sidec > possibleMaxLength) {
STOC_ErrorMsg scem; STOC_ErrorMsg scem;
scem.msg = ERRMSG_DECKERROR; scem.msg = ERRMSG_DECKERROR;
scem.code = 0; scem.code = 0;
......
...@@ -263,7 +263,8 @@ void TagDuel::UpdateDeck(DuelPlayer* dp, void* pdata, unsigned int len) { ...@@ -263,7 +263,8 @@ void TagDuel::UpdateDeck(DuelPlayer* dp, void* pdata, unsigned int len) {
int mainc = BufferIO::ReadInt32(deckbuf); int mainc = BufferIO::ReadInt32(deckbuf);
int sidec = BufferIO::ReadInt32(deckbuf); int sidec = BufferIO::ReadInt32(deckbuf);
// verify data // verify data
if((unsigned)mainc + (unsigned)sidec > (len - 8) / 4) { const unsigned int possibleMaxLength = (len - 8) / 4;
if((unsigned)mainc > possibleMaxLength || (unsigned)sidec > possibleMaxLength || (unsigned)mainc + (unsigned)sidec > possibleMaxLength) {
STOC_ErrorMsg scem; STOC_ErrorMsg scem;
scem.msg = ERRMSG_DECKERROR; scem.msg = ERRMSG_DECKERROR;
scem.code = 0; scem.code = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment