From e119e17d1824cbc41153d8f55d81b76b3da438f6 Mon Sep 17 00:00:00 2001
From: Subv <subv2112@gmail.com>
Date: Mon, 30 Jul 2018 20:09:13 -0500
Subject: [PATCH] nvhost_gpu: Added checks to ensure we don't read past the end
 of the entries when handling a GPU command list.

---
 src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp b/src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp
index 126782573..5a1123ad2 100644
--- a/src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp
+++ b/src/core/hle/service/nvdrv/devices/nvhost_gpu.cpp
@@ -132,9 +132,12 @@ u32 nvhost_gpu::SubmitGPFIFO(const std::vector<u8>& input, std::vector<u8>& outp
     LOG_WARNING(Service_NVDRV, "(STUBBED) called, gpfifo={:X}, num_entries={:X}, flags={:X}",
                 params.address, params.num_entries, params.flags);
 
-    auto entries = std::vector<IoctlGpfifoEntry>();
-    entries.resize(params.num_entries);
-    std::memcpy(&entries[0], &input.data()[sizeof(IoctlSubmitGpfifo)],
+    ASSERT_MSG(input.size() ==
+                   sizeof(IoctlSubmitGpfifo) + params.num_entries * sizeof(IoctlGpfifoEntry),
+               "Incorrect input size");
+
+    std::vector<IoctlGpfifoEntry> entries(params.num_entries);
+    std::memcpy(entries.data(), &input[sizeof(IoctlSubmitGpfifo)],
                 params.num_entries * sizeof(IoctlGpfifoEntry));
     for (auto entry : entries) {
         Tegra::GPUVAddr va_addr = entry.Address();