Changes

Jump to navigation Jump to search

Switch System Flaws (view source)

Revision as of 18:13, 26 January 2022

1,223 bytes added ,  18:13, 26 January 2022
→‎System Modules
Line 661: Line 661:  
| April 18, 2020
 
| April 18, 2020
 
| July 14, 2020
 
| July 14, 2020
 +
| [[User:Yellows8|yellows8]]
 +
|-
 +
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] ClearCaptureBuffer OOB
 +
| The captureBuf is used as an array index without proper validation. There is code validating it, but on failure it just skips over a code-block, with code using captureBuf still being used afterwards. Then this is used to write bools into a global array, one of which is from the command input.
 +
This was fixed with [9.1.0+] by requiring captureBuf = 0-1.
 +
| OOB bool writes into an array
 +
| [[9.1.0]]
 +
| [[13.1.0]]
 +
| ~July 31, 2019
 +
| January 26, 2022
 +
| [[User:Yellows8|yellows8]]
 +
|-
 +
| [[Applet_Manager_services#IDisplayController|AM IDisplayController]] TakeScreenShotOfOwnLayer OOB
 +
| The captureBuf is used as an array index without validation. Data used from this array includes calling a funcptr from the array entry, if set. Eventually this is also used to write bools into this array, one of which is from the command input.
 +
With [5.0.0+] a func is eventually called to get a ptr determined by the input captureBuf, with nullptr being returned for captureBuf>=0x10. The caller will Abort if nullptr was returned.
 +
| OOB array access
 +
| [[5.0.0]]
 +
| [[13.1.0]]
 +
| ~July 31, 2019
 +
| January 26, 2022
 
| [[User:Yellows8|yellows8]]
 
| [[User:Yellows8|yellows8]]
 
|-
 
|-
Retrieved from "https://switchbrew.org/wiki/Special:MobileDiff/11450"

Navigation menu