mirrors/rpcs3
1
0
Fork 0
mirror of https://github.com/RPCS3/rpcs3.git synced 2025-04-19 19:15:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

rsx: Handle out-of-bounds read/writes from FIFO register IO

Browse source
This commit is contained in:
kd-11 2025-03-10 14:21:22 +03:00 committed by kd-11
parent ddd3ac3663
commit 11e214f332
3 changed files with 30 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
rpcs3/Emu/RSX/NV47/HW/nv308a.cpp
View file

@ -35,6 +35,13 @@ namespace rsx
u32 count = std::min<u32>({ fifo_args_cnt, fifo_read_limit, method_range });
if (!count)
{
rsx_log.error("nv308a::color - No data to read/write.");
RSX(ctx)->fifo_ctrl->skip_methods(fifo_args_cnt - 1);
return;
}
const u32 dst_dma = REGS(ctx)->blit_engine_output_location_nv3062();
const u32 dst_offset = REGS(ctx)->blit_engine_output_offset_nv3062();
const u32 out_pitch = REGS(ctx)->blit_engine_output_pitch_nv3062();

16
rpcs3/Emu/RSX/NV47/HW/nv4097.cpp
View file

@ -82,6 +82,14 @@ namespace rsx
rcount = 0;
}
if (rcount == 0)
{
// Out-of-bounds write is a NOP
rsx_log.trace("Out of bounds write for transform constant block.");
RSX(ctx)->fifo_ctrl->skip_methods(fifo_args_cnt - 1);
return;
}
if (RSX(ctx)->in_begin_end && !REGS(ctx)->current_draw_clause.empty())
{
// Updating constants mid-draw is messy. Defer the writes
@ -148,6 +156,14 @@ namespace rsx
rcount -= max - (max_vertex_program_instructions * 4);
}
if (!rcount)
{
// Out-of-bounds write is a NOP
rsx_log.trace("Out of bounds write for transform program block.");
RSX(ctx)->fifo_ctrl->skip_methods(fifo_args_cnt - 1);
return;
}
const auto fifo_span = RSX(ctx)->fifo_ctrl->get_current_arg_ptr(rcount);
if (fifo_span.size() < rcount)

7
rpcs3/Emu/RSX/RSXFIFO.cpp
View file

@ -225,6 +225,13 @@ namespace rsx
std::span<const u32> FIFO_control::get_current_arg_ptr(u32 length_in_words) const
{
if (!length_in_words)
{
// This means the caller is doing something stupid
rsx_log.error("Invalid access to FIFO args data, requested length = 0");
return {};
}
if (g_cfg.core.rsx_fifo_accuracy)
{
// Return a pointer to the cache storage with confined access