mirror of
https://github.com/Atmosphere-NX/Atmosphere
synced 2024-12-23 04:41:12 +00:00
fs.mitm: Fix UAF in every DirEntry processed.
How on earth did this code ever work?
This commit is contained in:
parent
3db9ce32fa
commit
a46e796f4d
1 changed files with 9 additions and 5 deletions
|
@ -236,7 +236,7 @@ void RomFSBuildContext::Build(std::vector<RomFSSourceInfo> *out_infos) {
|
||||||
RomFSDirectoryEntry *dir_table = (RomFSDirectoryEntry *)((uintptr_t)dir_hash_table + this->dir_hash_table_size);
|
RomFSDirectoryEntry *dir_table = (RomFSDirectoryEntry *)((uintptr_t)dir_hash_table + this->dir_hash_table_size);
|
||||||
u32 *file_hash_table = (u32 *)((uintptr_t)dir_table + this->dir_table_size);
|
u32 *file_hash_table = (u32 *)((uintptr_t)dir_table + this->dir_table_size);
|
||||||
RomFSFileEntry *file_table = (RomFSFileEntry *)((uintptr_t)file_hash_table + this->file_hash_table_size);
|
RomFSFileEntry *file_table = (RomFSFileEntry *)((uintptr_t)file_hash_table + this->file_hash_table_size);
|
||||||
|
|
||||||
/* Clear out hash tables. */
|
/* Clear out hash tables. */
|
||||||
for (u32 i = 0; i < dir_hash_table_entry_count; i++) {
|
for (u32 i = 0; i < dir_hash_table_entry_count; i++) {
|
||||||
dir_hash_table[i] = ROMFS_ENTRY_EMPTY;
|
dir_hash_table[i] = ROMFS_ENTRY_EMPTY;
|
||||||
|
@ -332,11 +332,7 @@ void RomFSBuildContext::Build(std::vector<RomFSSourceInfo> *out_infos) {
|
||||||
default:
|
default:
|
||||||
fatalSimple(0xF601);
|
fatalSimple(0xF601);
|
||||||
}
|
}
|
||||||
|
|
||||||
delete cur_file->path;
|
|
||||||
delete cur_file;
|
|
||||||
}
|
}
|
||||||
this->files.clear();
|
|
||||||
|
|
||||||
/* Populate dir tables. */
|
/* Populate dir tables. */
|
||||||
for (const auto &it : this->directories) {
|
for (const auto &it : this->directories) {
|
||||||
|
@ -362,6 +358,14 @@ void RomFSBuildContext::Build(std::vector<RomFSSourceInfo> *out_infos) {
|
||||||
this->root = NULL;
|
this->root = NULL;
|
||||||
this->directories.clear();
|
this->directories.clear();
|
||||||
|
|
||||||
|
/* Delete files. */
|
||||||
|
for (const auto &it : this->files) {
|
||||||
|
cur_file = it.second;
|
||||||
|
delete cur_file->path;
|
||||||
|
delete cur_file;
|
||||||
|
}
|
||||||
|
this->files.clear();
|
||||||
|
|
||||||
/* Set header fields. */
|
/* Set header fields. */
|
||||||
header->header_size = sizeof(*header);
|
header->header_size = sizeof(*header);
|
||||||
header->file_hash_table_size = this->file_hash_table_size;
|
header->file_hash_table_size = this->file_hash_table_size;
|
||||||
|
|
Loading…
Reference in a new issue