From ade291e73d901b67dac638f766e5c27ba5f7d43e Mon Sep 17 00:00:00 2001
From: Eladash <elad3356p@gmail.com>
Date: Thu, 20 Jun 2019 22:35:08 +0300
Subject: [PATCH] Fix potential overflow in sys_vm

---
 rpcs3/Emu/Cell/lv2/sys_vm.cpp | 18 +++++++++---------
 rpcs3/Emu/Memory/vm.cpp       |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/rpcs3/Emu/Cell/lv2/sys_vm.cpp b/rpcs3/Emu/Cell/lv2/sys_vm.cpp
index fdf5afc321..c6b34c56b1 100644
--- a/rpcs3/Emu/Cell/lv2/sys_vm.cpp
+++ b/rpcs3/Emu/Cell/lv2/sys_vm.cpp
@@ -135,7 +135,7 @@ error_code sys_vm_return_memory(u32 addr, u32 size)
 
 	std::lock_guard lock(block->mutex);
 
-	if (block->psize < 0x100000 + size)
+	if (u64{block->psize} < u64{0x100000} + size)
 	{
 		return CELL_EBUSY;
 	}
@@ -156,7 +156,7 @@ error_code sys_vm_lock(u32 addr, u32 size)
 
 	const auto block = idm::get<sys_vm_t>(sys_vm_t::find_id(addr));
 
-	if (!block || addr + size > block->addr + block->size)
+	if (!block || u64{addr} + size > u64{block->addr} + block->size)
 	{
 		return CELL_EINVAL;
 	}
@@ -175,7 +175,7 @@ error_code sys_vm_unlock(u32 addr, u32 size)
 
 	const auto block = idm::get<sys_vm_t>(sys_vm_t::find_id(addr));
 
-	if (!block || addr + size > block->addr + block->size)
+	if (!block || u64{addr} + size > u64{block->addr} + block->size)
 	{
 		return CELL_EINVAL;
 	}
@@ -194,7 +194,7 @@ error_code sys_vm_touch(u32 addr, u32 size)
 
 	const auto block = idm::get<sys_vm_t>(sys_vm_t::find_id(addr));
 
-	if (!block || addr + size > block->addr + block->size)
+	if (!block || u64{addr} + size > u64{block->addr} + block->size)
 	{
 		return CELL_EINVAL;
 	}
@@ -213,7 +213,7 @@ error_code sys_vm_flush(u32 addr, u32 size)
 
 	const auto block = idm::get<sys_vm_t>(sys_vm_t::find_id(addr));
 
-	if (!block || addr + size > block->addr + block->size)
+	if (!block || u64{addr} + size > u64{block->addr} + block->size)
 	{
 		return CELL_EINVAL;
 	}
@@ -232,7 +232,7 @@ error_code sys_vm_invalidate(u32 addr, u32 size)
 
 	const auto block = idm::get<sys_vm_t>(sys_vm_t::find_id(addr));
 
-	if (!block || addr + size > block->addr + block->size)
+	if (!block || u64{addr} + size > u64{block->addr} + block->size)
 	{
 		return CELL_EINVAL;
 	}
@@ -252,7 +252,7 @@ error_code sys_vm_store(u32 addr, u32 size)
 
 	const auto block = idm::get<sys_vm_t>(sys_vm_t::find_id(addr));
 
-	if (!block || addr + size > block->addr + block->size)
+	if (!block || u64{addr} + size > u64{block->addr} + block->size)
 	{
 		return CELL_EINVAL;
 	}
@@ -271,7 +271,7 @@ error_code sys_vm_sync(u32 addr, u32 size)
 
 	const auto block = idm::get<sys_vm_t>(sys_vm_t::find_id(addr));
 
-	if (!block || addr + size > block->addr + block->size)
+	if (!block || u64{addr} + size > u64{block->addr} + block->size)
 	{
 		return CELL_EINVAL;
 	}
@@ -285,7 +285,7 @@ error_code sys_vm_test(u32 addr, u32 size, vm::ptr<u64> result)
 
 	const auto block = idm::get<sys_vm_t>(sys_vm_t::find_id(addr));
 
-	if (!block || addr + size > block->addr + block->size)
+	if (!block || u64{addr} + size > u64{block->addr} + block->size)
 	{
 		return CELL_EINVAL;
 	}
diff --git a/rpcs3/Emu/Memory/vm.cpp b/rpcs3/Emu/Memory/vm.cpp
index 1a6dd0a623..bca5a323ae 100644
--- a/rpcs3/Emu/Memory/vm.cpp
+++ b/rpcs3/Emu/Memory/vm.cpp
@@ -717,7 +717,7 @@ namespace vm
 			shm = std::make_shared<utils::shm>(size);
 
 		// Search for an appropriate place (unoptimized)
-		for (u32 addr = ::align(this->addr, align); addr < this->addr + this->size - 1; addr += align)
+		for (u32 addr = ::align(this->addr, align); u64{addr} + size < u64{this->addr} + this->size - 1; addr += align)
 		{
 			if (try_alloc(addr, pflags, size, std::move(shm)))
 			{