fs.mitm: Fix UAF in every DirEntry processed.

How on earth did this code ever work?
This commit is contained in:
Michael Scire 2018-07-19 21:17:57 -06:00
parent 3db9ce32fa
commit a46e796f4d

View file

@ -236,7 +236,7 @@ void RomFSBuildContext::Build(std::vector<RomFSSourceInfo> *out_infos) {
RomFSDirectoryEntry *dir_table = (RomFSDirectoryEntry *)((uintptr_t)dir_hash_table + this->dir_hash_table_size); RomFSDirectoryEntry *dir_table = (RomFSDirectoryEntry *)((uintptr_t)dir_hash_table + this->dir_hash_table_size);
u32 *file_hash_table = (u32 *)((uintptr_t)dir_table + this->dir_table_size); u32 *file_hash_table = (u32 *)((uintptr_t)dir_table + this->dir_table_size);
RomFSFileEntry *file_table = (RomFSFileEntry *)((uintptr_t)file_hash_table + this->file_hash_table_size); RomFSFileEntry *file_table = (RomFSFileEntry *)((uintptr_t)file_hash_table + this->file_hash_table_size);
/* Clear out hash tables. */ /* Clear out hash tables. */
for (u32 i = 0; i < dir_hash_table_entry_count; i++) { for (u32 i = 0; i < dir_hash_table_entry_count; i++) {
dir_hash_table[i] = ROMFS_ENTRY_EMPTY; dir_hash_table[i] = ROMFS_ENTRY_EMPTY;
@ -332,11 +332,7 @@ void RomFSBuildContext::Build(std::vector<RomFSSourceInfo> *out_infos) {
default: default:
fatalSimple(0xF601); fatalSimple(0xF601);
} }
delete cur_file->path;
delete cur_file;
} }
this->files.clear();
/* Populate dir tables. */ /* Populate dir tables. */
for (const auto &it : this->directories) { for (const auto &it : this->directories) {
@ -362,6 +358,14 @@ void RomFSBuildContext::Build(std::vector<RomFSSourceInfo> *out_infos) {
this->root = NULL; this->root = NULL;
this->directories.clear(); this->directories.clear();
/* Delete files. */
for (const auto &it : this->files) {
cur_file = it.second;
delete cur_file->path;
delete cur_file;
}
this->files.clear();
/* Set header fields. */ /* Set header fields. */
header->header_size = sizeof(*header); header->header_size = sizeof(*header);
header->file_hash_table_size = this->file_hash_table_size; header->file_hash_table_size = this->file_hash_table_size;