Switch System Flaws: Difference between revisions
| Line 661: | Line 661: | ||
| April 18, 2020 | | April 18, 2020 | ||
| July 14, 2020 | | July 14, 2020 | ||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] ClearCaptureBuffer OOB | |||
| The captureBuf is used as an array index without proper validation. There is code validating it, but on failure it just skips over a code-block, with code using captureBuf still being used afterwards. Then this is used to write bools into a global array, one of which is from the command input. | |||
This was fixed with [9.1.0+] by requiring captureBuf = 0-1. | |||
| OOB bool writes into an array | |||
| [[9.1.0]] | |||
| [[13.1.0]] | |||
| ~July 31, 2019 | |||
| January 26, 2022 | |||
| [[User:Yellows8|yellows8]] | |||
|- | |||
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] TakeScreenShotOfOwnLayer OOB | |||
| The captureBuf is used as an array index without validation. Data used from this array includes calling a funcptr from the array entry, if set. Eventually this is also used to write bools into this array, one of which is from the command input. | |||
With [5.0.0+] a func is eventually called to get a ptr determined by the input captureBuf, with nullptr being returned for captureBuf>=0x10. The caller will Abort if nullptr was returned. | |||
| OOB array access | |||
| [[5.0.0]] | |||
| [[13.1.0]] | |||
| ~July 31, 2019 | |||
| January 26, 2022 | |||
| [[User:Yellows8|yellows8]] | | [[User:Yellows8|yellows8]] | ||
|- | |- | ||