Emulator

Hi guys,

My team and I are currently in the midst of working on a final project for our Security Testing course at the University of Utah, where we leverage fuzzing tools like AFL++ to test certain software. For our project, we chose to fuzz Dolphin Emulator and wanted to report a couple findings to you.

In VolumeWAD.cpp, on initialization, a BlobReader is passed into the constructor. Data is then read from the reader into multiple members of the VolumeWAD object. However, on line 52, a validation check is performed on the TMD size to ensure that nothing too large is read into the data buffer. If it doesn't pass the check, it leaves tmd.m_bytes unset, resulting in uninitialized memory for later access. This returns a Volume that is not null and later, if you choose to access the gameID with VolumeWAD::GetGameId, m_bytes.data() is accessed, resulting in a segfault.

This is also the case with TMDReader::GetGameTDBID() and throws a segfault as well after being called by the VolumeWAD object. Similar to how you do it in VolumeWAD::GetRegion, adding the m_tmd.IsValid() check to both of the above functions removes all segmentation faults, which we validated by changing, recompiling, and re-fuzzing the program for another several hours.

Thanks so much and let us know if this gets confirmed or denied!
Thanks!