From 4f2a6f16d36cacfcfe98ba86b205af5634d47a29 Mon Sep 17 00:00:00 2001 From: CTCaer Date: Tue, 11 Oct 2022 04:37:17 +0300 Subject: [PATCH] nyx: fix use after free and a heap corruption Fix use after free and a heap corruption on emummc config loading/freeing that could cause hangs when entering emummc window. --- nyx/nyx_gui/frontend/fe_emummc_tools.c | 18 ++++++++++++------ nyx/nyx_gui/frontend/gui_emummc_tools.c | 4 ++++ nyx/nyx_gui/frontend/gui_tools.c | 17 +++++++++++++++++ 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/nyx/nyx_gui/frontend/fe_emummc_tools.c b/nyx/nyx_gui/frontend/fe_emummc_tools.c index 1354e9d..be61d53 100644 --- a/nyx/nyx_gui/frontend/fe_emummc_tools.c +++ b/nyx/nyx_gui/frontend/fe_emummc_tools.c @@ -51,16 +51,22 @@ void load_emummc_cfg(emummc_cfg_t *emu_info) { LIST_FOREACH_ENTRY(ini_kv_t, kv, &ini_sec->kvs, link) { - if (!strcmp("enabled", kv->key)) + if (!strcmp("enabled", kv->key)) emu_info->enabled = atoi(kv->val); else if (!strcmp("sector", kv->key)) emu_info->sector = strtol(kv->val, NULL, 16); - else if (!strcmp("id", kv->key)) - emu_info->id = strtol(kv->val, NULL, 16); - else if (!strcmp("path", kv->key)) - emu_info->path = kv->val; + else if (!strcmp("id", kv->key)) + emu_info->id = strtol(kv->val, NULL, 16); + else if (!strcmp("path", kv->key)) + { + emu_info->path = (char *)malloc(strlen(kv->val) + 1); + strcpy(emu_info->path, kv->val); + } else if (!strcmp("nintendo_path", kv->key)) - emu_info->nintendo_path = kv->val; + { + emu_info->nintendo_path = (char *)malloc(strlen(kv->val) + 1); + strcpy(emu_info->nintendo_path, kv->val); + } } break; diff --git a/nyx/nyx_gui/frontend/gui_emummc_tools.c b/nyx/nyx_gui/frontend/gui_emummc_tools.c index b7d0b5d..958d298 100644 --- a/nyx/nyx_gui/frontend/gui_emummc_tools.c +++ b/nyx/nyx_gui/frontend/gui_emummc_tools.c @@ -1234,6 +1234,10 @@ lv_res_t create_win_emummc_tools(lv_obj_t *btn) lv_label_set_static_text(label_txt2, "emuMMC is disabled and eMMC will be used for boot.\n\n"); } + if (emu_info.path) + free(emu_info.path); + if (emu_info.nintendo_path) + free(emu_info.nintendo_path); free(txt_buf); lv_obj_set_style(label_txt2, &hint_small_style); diff --git a/nyx/nyx_gui/frontend/gui_tools.c b/nyx/nyx_gui/frontend/gui_tools.c index eb77ede..ada6336 100644 --- a/nyx/nyx_gui/frontend/gui_tools.c +++ b/nyx/nyx_gui/frontend/gui_tools.c @@ -34,6 +34,8 @@ extern volatile boot_cfg_t *b_cfg; extern hekate_config h_cfg; extern nyx_config n_cfg; +lv_obj_t *ums_mbox; + extern char *emmcsn_path_impl(char *path, char *sub_dir, char *filename, sdmmc_storage_t *storage); static lv_obj_t *_create_container(lv_obj_t *parent) @@ -498,6 +500,11 @@ static lv_res_t _action_ums_emuemmc_boot0(lv_obj_t *btn) usbs.offset = emu_info.sector; } } + + if (emu_info.path) + free(emu_info.path); + if (emu_info.nintendo_path) + free(emu_info.nintendo_path); } sd_unmount(); @@ -540,6 +547,11 @@ static lv_res_t _action_ums_emuemmc_boot1(lv_obj_t *btn) usbs.offset = emu_info.sector + 0x2000; } } + + if (emu_info.path) + free(emu_info.path); + if (emu_info.nintendo_path) + free(emu_info.nintendo_path); } sd_unmount(); @@ -592,6 +604,11 @@ static lv_res_t _action_ums_emuemmc_gpp(lv_obj_t *btn) } } } + + if (emu_info.path) + free(emu_info.path); + if (emu_info.nintendo_path) + free(emu_info.nintendo_path); } sd_unmount();