Mercurial > repos > blastem
comparison genesis.c @ 2476:aaf7bb58ffca
Fix bug in Gen/MD serialize routine that could cause a use-after free in some cases
| author | Michael Pavone <pavone@retrodev.com> |
|---|---|
| date | Sun, 03 Mar 2024 13:47:59 -0800 |
| parents | b5640ac9aea9 |
| children | 59a299610662 |
comparison
equal
deleted
inserted
replaced
| 2475:a634985b1df3 | 2476:aaf7bb58ffca |
|---|---|
| 137 static uint8_t *serialize(system_header *sys, size_t *size_out) | 137 static uint8_t *serialize(system_header *sys, size_t *size_out) |
| 138 { | 138 { |
| 139 genesis_context *gen = (genesis_context *)sys; | 139 genesis_context *gen = (genesis_context *)sys; |
| 140 uint32_t address; | 140 uint32_t address; |
| 141 if (gen->m68k->resume_pc) { | 141 if (gen->m68k->resume_pc) { |
| 142 gen->m68k->target_cycle = gen->m68k->current_cycle; | 142 |
| 143 gen->header.save_state = SERIALIZE_SLOT+1; | 143 gen->header.save_state = SERIALIZE_SLOT+1; |
| 144 resume_68k(gen->m68k); | 144 while (!gen->serialize_tmp) |
| 145 { | |
| 146 gen->m68k->target_cycle = gen->m68k->current_cycle + 1; | |
| 147 resume_68k(gen->m68k); | |
| 148 } | |
| 145 if (size_out) { | 149 if (size_out) { |
| 146 *size_out = gen->serialize_size; | 150 *size_out = gen->serialize_size; |
| 147 } | 151 } |
| 148 return gen->serialize_tmp; | 152 uint8_t *ret = gen->serialize_tmp; |
| 153 gen->serialize_tmp = NULL; | |
| 154 return ret; | |
| 149 } else { | 155 } else { |
| 150 serialize_buffer state; | 156 serialize_buffer state; |
| 151 init_serialize(&state); | 157 init_serialize(&state); |
| 152 uint32_t address = read_word(4, (void **)gen->m68k->mem_pointers, &gen->m68k->options->gen, gen->m68k) << 16; | 158 uint32_t address = read_word(4, (void **)gen->m68k->mem_pointers, &gen->m68k->options->gen, gen->m68k) << 16; |
| 153 address |= read_word(6, (void **)gen->m68k->mem_pointers, &gen->m68k->options->gen, gen->m68k); | 159 address |= read_word(6, (void **)gen->m68k->mem_pointers, &gen->m68k->options->gen, gen->m68k); |