From 0de7c661b7c39f2d13a0db29f3f09803a5e577db Mon Sep 17 00:00:00 2001 From: Ryan Pavlik Date: Thu, 28 Jun 2012 17:05:39 -0500 Subject: [PATCH] Added bounds safety checking --- src/classic.c | 5 +++-- src/nunchuk.c | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/src/classic.c b/src/classic.c index 69869a8..41e7ad0 100644 --- a/src/classic.c +++ b/src/classic.c @@ -49,6 +49,7 @@ static void classic_ctrl_pressed_buttons(struct classic_ctrl_t* cc, short now); * * @return Returns 1 if handshake was successful, 0 if not. */ +#define HANDSHAKE_BYTES_USED 12 int classic_ctrl_handshake(struct wiimote_t* wm, struct classic_ctrl_t* cc, byte* data, unsigned short len) { int i; @@ -58,7 +59,7 @@ int classic_ctrl_handshake(struct wiimote_t* wm, struct classic_ctrl_t* cc, byte cc->r_shoulder = 0; cc->l_shoulder = 0; - if (data[0] == 0xFF) { + if (data[0] == 0xFF || len < HANDSHAKE_BYTES_USED) { /* * Sometimes the data returned here is not correct. * This might happen because the wiimote is lagging @@ -69,7 +70,7 @@ int classic_ctrl_handshake(struct wiimote_t* wm, struct classic_ctrl_t* cc, byte * but since the next 16 bytes are the same, just use * those. */ - if (data[16] == 0xFF) { + if (len < 17 || len < HANDSHAKE_BYTES_USED + 16 || data[16] == 0xFF) { /* get the calibration data */ byte* handshake_buf = (byte *)malloc(EXP_HANDSHAKE_LEN * sizeof(byte)); diff --git a/src/nunchuk.c b/src/nunchuk.c index ede5a7e..db23d0f 100644 --- a/src/nunchuk.c +++ b/src/nunchuk.c @@ -48,6 +48,7 @@ * * @return Returns 1 if handshake was successful, 0 if not. */ ++#define HANDSHAKE_BYTES_USED 14 int nunchuk_handshake(struct wiimote_t* wm, struct nunchuk_t* nc, byte* data, unsigned short len) { int i; @@ -60,8 +61,7 @@ int nunchuk_handshake(struct wiimote_t* wm, struct nunchuk_t* nc, byte* data, un nc->accel_calib.st_alpha = wm->accel_calib.st_alpha; /* decrypt data */ - - if (data[0] == 0xFF) { + if (data[0] == 0xFF || len < HANDSHAKE_BYTES_USED) { /* * Sometimes the data returned here is not correct. * This might happen because the wiimote is lagging @@ -72,7 +72,7 @@ int nunchuk_handshake(struct wiimote_t* wm, struct nunchuk_t* nc, byte* data, un * but since the next 16 bytes are the same, just use * those. */ - if (data[16] == 0xFF) { + if (len < 17 || len < HANDSHAKE_BYTES_USED + 16 || data[16] == 0xFF) { /* get the calibration data */ byte* handshake_buf = (byte *)malloc(EXP_HANDSHAKE_LEN * sizeof(byte));