blackteay/fbi-i18n-zh
1
0
Fork 0
mirror of https://gitlab.com/Theopse/fbi-i18n-zh.git synced 2025-04-05 19:41:43 +08:00
Code Issues Projects Releases Wiki Activity

Add validity checks to CIA/TMD/Ticket parsing code.

Browse Source
This commit is contained in:
Steveice10 2018-05-15 18:54:39 -07:00
parent 8ad4fc4be5
commit faabb9ec62
8 changed files with 187 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
source/core/data/cia.c
View File

@ -5,14 +5,25 @@
#include "tmd.h"
#include "../error.h"
u64 cia_get_title_id(u8* cia) {
Result cia_get_title_id(u64* titleId, u8* cia, size_t size) {
if(cia == NULL) {
return R_APP_INVALID_ARGUMENT;
}
if(size < 0x10) {
return R_APP_BAD_DATA;
}
u32 headerSize = ((*(u32*) &cia[0x00]) + 0x3F) & ~0x3F;
u32 certSize = ((*(u32*) &cia[0x08]) + 0x3F) & ~0x3F;
u32 ticketSize = ((*(u32*) &cia[0x0C]) + 0x3F) & ~0x3F;
u32 offset = headerSize + certSize + ticketSize;
u8* tmd = &cia[headerSize + certSize + ticketSize];
if(offset >= size) {
return R_APP_BAD_DATA;
}
return tmd_get_title_id(tmd);
return tmd_get_title_id(titleId, &cia[offset], size - offset);
}
Result cia_file_get_smdh(SMDH* smdh, Handle handle) {

2
source/core/data/cia.h
View File

@ -2,5 +2,5 @@
typedef struct SMDH_s SMDH;
u64 cia_get_title_id(u8* cia);
Result cia_get_title_id(u64* titleId, u8* cia, size_t size);
Result cia_file_get_smdh(SMDH* smdh, Handle handle);

30
source/core/data/ticket.c
View File

@ -1,9 +1,33 @@
#include <3ds.h>
#include "ticket.h"
#include "../core.h"
static u32 sigSizes[6] = {0x240, 0x140, 0x80, 0x240, 0x140, 0x80};
#define NUM_SIG_TYPES 6
static u32 sigSizes[NUM_SIG_TYPES] = {0x240, 0x140, 0x80, 0x240, 0x140, 0x80};
u64 ticket_get_title_id(u8* ticket) {
return __builtin_bswap64(*(u64*) &ticket[sigSizes[ticket[0x03]] + 0x9C]);
Result ticket_get_title_id(u64* titleId, u8* ticket, size_t size) {
if(ticket == NULL) {
return R_APP_INVALID_ARGUMENT;
}
if(size < 4) {
return R_APP_BAD_DATA;
}
u8 sigType = ticket[0x03];
if(sigType >= NUM_SIG_TYPES) {
return R_APP_BAD_DATA;
}
u32 offset = sigSizes[sigType] + 0x9C;
if(offset + sizeof(u64) > size) {
return R_APP_BAD_DATA;
}
if(titleId != NULL) {
*titleId = __builtin_bswap64(*(u64*) &ticket[offset]);
}
return 0;
}

2
source/core/data/ticket.h
View File

@ -1,3 +1,3 @@
#pragma once
u64 ticket_get_title_id(u8* ticket);
Result ticket_get_title_id(u64* titleId, u8* ticket, size_t size);

86
source/core/data/tmd.c
View File

@ -1,17 +1,89 @@
#include <3ds.h>
#include "tmd.h"
#include "../core.h"
static u32 sigSizes[6] = {0x240, 0x140, 0x80, 0x240, 0x140, 0x80};
#define NUM_SIG_TYPES 6
static u32 sigSizes[NUM_SIG_TYPES] = {0x240, 0x140, 0x80, 0x240, 0x140, 0x80};
u64 tmd_get_title_id(u8* tmd) {
return __builtin_bswap64(*(u64*) &tmd[sigSizes[tmd[0x03]] + 0x4C]);
static Result tmd_get(u8** out, u8* tmd, size_t tmdSize, u32 pos, size_t fieldSize) {
if(tmd == NULL) {
return R_APP_INVALID_ARGUMENT;
}
u16 tmd_get_content_count(u8* tmd) {
return __builtin_bswap16(*(u16*) &tmd[sigSizes[tmd[0x03]] + 0x9E]);
if(tmdSize < 4) {
return R_APP_BAD_DATA;
}
u8* tmd_get_content_chunk(u8* tmd, u32 index) {
return &tmd[sigSizes[tmd[0x03]] + 0x9C4 + (index * 0x30)];
u8 sigType = tmd[0x03];
if(sigType >= NUM_SIG_TYPES) {
return R_APP_BAD_DATA;
}
u32 offset = sigSizes[sigType] + pos;
if(offset + fieldSize > tmdSize) {
return R_APP_BAD_DATA;
}
if(out != NULL) {
*out = &tmd[offset];
}
return 0;
}
Result tmd_get_title_id(u64* titleId, u8* tmd, size_t size) {
u8* data = NULL;
Result res = tmd_get(&data, tmd, size, 0x4C, sizeof(u64));
if(R_FAILED(res)) {
return res;
}
if(titleId != NULL) {
*titleId = __builtin_bswap64(*(u64*) data);
}
return 0;
}
Result tmd_get_content_count(u16* contentCount, u8* tmd, size_t size) {
u8* data = NULL;
Result res = tmd_get(&data, tmd, size, 0x9E, sizeof(u16));
if(R_FAILED(res)) {
return res;
}
if(contentCount != NULL) {
*contentCount = __builtin_bswap16(*(u16*) data);
}
return 0;
}
Result tmd_get_content_id(u32* id, u8* tmd, size_t size, u32 num) {
u8* data = NULL;
Result res = tmd_get(&data, tmd, size, 0x9C4 + (num * 0x30), sizeof(u32));
if(R_FAILED(res)) {
return res;
}
if(id != NULL) {
*id = __builtin_bswap32(*(u32*) data);
}
return 0;
}
Result tmd_get_content_index(u16* index, u8* tmd, size_t size, u32 num) {
u8* data = NULL;
Result res = tmd_get(&data, tmd, size, 0x9C4 + (num * 0x30) + 0x4, sizeof(u16));
if(R_FAILED(res)) {
return res;
}
if(index != NULL) {
*index = __builtin_bswap16(*(u16*) data);
}
return 0;
}

7
source/core/data/tmd.h
View File

@ -1,5 +1,6 @@
#pragma once
u64 tmd_get_title_id(u8* tmd);
u16 tmd_get_content_count(u8* tmd);
u8* tmd_get_content_chunk(u8* tmd, u32 index);
Result tmd_get_title_id(u64* titleId, u8* tmd, size_t size);
Result tmd_get_content_count(u16* contentCount, u8* tmd, size_t size);
Result tmd_get_content_id(u32* id, u8* tmd, size_t size, u32 num);
Result tmd_get_content_index(u16* index, u8* tmd, size_t size, u32 num);

27
source/fbi/action/installcdn.c
View File

@ -18,7 +18,7 @@ typedef struct {
bool finishedPrompt;
char tmdVersion[16];
u32 contentCount;
u16 contentCount;
u16 contentIndices[CONTENTS_MAX];
u32 contentIds[CONTENTS_MAX];
@ -71,21 +71,28 @@ static Result action_install_cdn_open_dst(void* data, u32 index, void* initialRe
install_cdn_data* installData = (install_cdn_data*) data;
if(index == 0) {
installData->contentCount = tmd_get_content_count((u8*) initialReadBlock);
if(installData->contentCount > CONTENTS_MAX) {
return R_APP_OUT_OF_RANGE;
}
Result res = 0;
if(R_SUCCEEDED(res = tmd_get_content_count(&installData->contentCount, (u8*) initialReadBlock, installData->installInfo.bufferSize))) {
if(installData->contentCount <= CONTENTS_MAX) {
for(u32 i = 0; i < installData->contentCount; i++) {
u8* contentChunk = tmd_get_content_chunk((u8*) initialReadBlock, i);
installData->contentIds[i] = __builtin_bswap32(*(u32*) &contentChunk[0x00]);
installData->contentIndices[i] = __builtin_bswap16(*(u16*) &contentChunk[0x04]);
if(R_FAILED(res = tmd_get_content_id(&installData->contentIds[i], (u8*) initialReadBlock, installData->installInfo.bufferSize, i))
|| R_FAILED(res = tmd_get_content_index(&installData->contentIndices[i], (u8*) initialReadBlock, installData->installInfo.bufferSize, i))) {
break;
}
}
if(R_SUCCEEDED(res)) {
installData->installInfo.total += installData->contentCount;
return AM_InstallTmdBegin(handle);
res = AM_InstallTmdBegin(handle);
}
} else {
res = R_APP_OUT_OF_RANGE;
}
}
return res;
} else {
return AM_InstallContentBegin(handle, installData->contentIndices[index - 1]);
}

8
source/fbi/action/installurl.c
View File

@ -147,8 +147,8 @@ static Result action_install_url_open_dst(void* data, u32 index, void* initialRe
if(*(u16*) initialReadBlock == 0x2020) {
installData->contentType = CONTENT_CIA;
u64 titleId = cia_get_title_id((u8*) initialReadBlock);
u64 titleId = 0;
if(R_SUCCEEDED(res = cia_get_title_id(&titleId, (u8*) initialReadBlock, installData->installInfo.bufferSize))) {
FS_MediaType dest = fs_get_title_destination(titleId);
bool n3ds = false;
@ -179,7 +179,9 @@ static Result action_install_url_open_dst(void* data, u32 index, void* initialRe
if(R_SUCCEEDED(res = AM_StartCiaInstall(dest, handle))) {
installData->currTitleId = titleId;
}
}
} else if(*(u16*) initialReadBlock == 0x0100) {
if(R_SUCCEEDED(res = ticket_get_title_id(&installData->ticketInfo.titleId, (u8*) initialReadBlock, installData->installInfo.bufferSize))) {
installData->contentType = CONTENT_TICKET;
if(!installData->cdnDecided) {
@ -191,12 +193,12 @@ static Result action_install_url_open_dst(void* data, u32 index, void* initialRe
}
}
installData->ticketInfo.titleId = ticket_get_title_id((u8*) initialReadBlock);
installData->ticketInfo.inUse = false;
installData->ticketInfo.loaded = true;
AM_DeleteTicket(installData->ticketInfo.titleId);
res = AM_InstallTicketBegin(handle);
}
} else if(*(u32*) initialReadBlock == 0x58534433 /* 3DSX */ || *(u32*) initialReadBlock == 0x48444D53 /* SMDH */) {
installData->contentType = CONTENT_3DSX_SMDH;