From 09f456484cb401856d5dda1af5b80a659b7c2097 Mon Sep 17 00:00:00 2001 From: Vicki Pfau Date: Fri, 19 Jul 2024 19:42:38 -0700 Subject: [PATCH] GB Serialize: Prevent loading invalid states where LY >= 144 in modes other than 1 --- CHANGES | 1 + src/gb/serialize.c | 7 +++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGES b/CHANGES index ff9c74489c4..9af2528d96a 100644 --- a/CHANGES +++ b/CHANGES @@ -24,6 +24,7 @@ Other fixes: - Debugger: Fix writing to specific segment in command-line debugger - GB: Fix uninitialized save data when loading undersized temporary saves - GB, GBA Core: Fix memory leak if reloading debug symbols + - GB Serialize: Prevent loading invalid states where LY >= 144 in modes other than 1 - GBA Audio: Fix crash if audio FIFOs and timers get out of sync - GBA Audio: Fix crash in audio subsampling if timing lockstep breaks - GBA Core: Fix loading symbols from ELF files if the file doesn't end with .elf diff --git a/src/gb/serialize.c b/src/gb/serialize.c index 0abdc1958f0..8f874d8eb82 100644 --- a/src/gb/serialize.c +++ b/src/gb/serialize.c @@ -122,6 +122,13 @@ bool GBDeserialize(struct GB* gb, const struct GBSerializedState* state) { mLOG(GB_STATE, WARN, "Savestate is corrupted: video y is out of range"); error = true; } + + GBSerializedVideoFlags videoFlags = state->video.flags; + if (check16 >= GB_VIDEO_VERTICAL_PIXELS && GBSerializedVideoFlagsGetMode(videoFlags) != 1) { + mLOG(GB_STATE, WARN, "Savestate is corrupted: video y is in vblank but mode is not vblank"); + error = true; + } + LOAD_16LE(ucheck16, 0, &state->memory.dmaDest); if (ucheck16 + state->memory.dmaRemaining > GB_SIZE_OAM) { mLOG(GB_STATE, WARN, "Savestate is corrupted: DMA destination is out of range");