Overview

File mupen64plus-CVE-2025-9688.patch of Package mupen64plus

From 3984137fc0c44110f1ef876adb008885b05a6e18 Mon Sep 17 00:00:00 2001
From: Giles <Giles_Anderson@outlook.com>
Date: Sun, 9 Mar 2025 19:43:55 +0800
Subject: [PATCH] fix integer overflow in write_is_viewer

---
 src/device/cart/is_viewer.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/source/mupen64plus-core/src/device/cart/is_viewer.c b/source/mupen64plus-core/src/device/cart/is_viewer.c
index d3522401d..c8f442e65 100644
--- a/source/mupen64plus-core/src/device/cart/is_viewer.c
+++ b/source/mupen64plus-core/src/device/cart/is_viewer.c
@@ -55,13 +55,15 @@ void write_is_viewer(void* opaque, uint32_t address, uint32_t value, uint32_t ma
     {
         if (word > 0)
         {
-            /* make sure we don't overflow the buffer */
-            if (is_viewer->buffer_pos + word > IS_BUFFER_SIZE)
+            /* make sure we don't overflow the integer or the buffer  */
+            if (is_viewer->buffer_pos > IS_BUFFER_SIZE 
+                || word > IS_BUFFER_SIZE
+                || is_viewer->buffer_pos + word > IS_BUFFER_SIZE )
             {
                 /* reset buffer */
                 memset(is_viewer->output_buffer, 0, IS_BUFFER_SIZE);
                 is_viewer->buffer_pos = 0;
-                DebugMessage(M64MSG_WARNING, "IS64: prevented buffer overflow, cleared buffer");
+                DebugMessage(M64MSG_WARNING, "IS64: prevented integer overflow, cleared buffer");
                 return;
             }
openSUSE Build Service is sponsored by
Places