From 357025dfdf2b08204b0a3ae38330dc5fe3f05103 Mon Sep 17 00:00:00 2001
From: Diego Arias <dariascauas@gmail.com>
Date: Sat, 23 Jul 2022 12:27:55 -0400
Subject: [PATCH] loader: check for overflow of seg_sizes[] in 3dsx loader
 (#6075)

---
 src/core/loader/3dsx.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/core/loader/3dsx.cpp b/src/core/loader/3dsx.cpp
index d9cba3b16..99d920951 100644
--- a/src/core/loader/3dsx.cpp
+++ b/src/core/loader/3dsx.cpp
@@ -111,6 +111,11 @@ static THREEDSX_Error Load3DSXFile(FileUtil::IOFile& file, u32 base_addr,
     loadinfo.seg_sizes[0] = (hdr.code_seg_size + 0xFFF) & ~0xFFF;
     loadinfo.seg_sizes[1] = (hdr.rodata_seg_size + 0xFFF) & ~0xFFF;
     loadinfo.seg_sizes[2] = (hdr.data_seg_size + 0xFFF) & ~0xFFF;
+    // prevent integer overflow leading to heap-buffer-overflow
+    if (loadinfo.seg_sizes[0] < hdr.code_seg_size || loadinfo.seg_sizes[1] < hdr.rodata_seg_size ||
+        loadinfo.seg_sizes[2] < hdr.data_seg_size) {
+        return ERROR_READ;
+    }
     u32 offsets[2] = {loadinfo.seg_sizes[0], loadinfo.seg_sizes[0] + loadinfo.seg_sizes[1]};
     u32 n_reloc_tables = hdr.reloc_hdr_size / sizeof(u32);
     std::vector<u8> program_image(loadinfo.seg_sizes[0] + loadinfo.seg_sizes[1] +