From 1f3519e6e3fb3ae1394b0440c8e1f61e5be4a854 Mon Sep 17 00:00:00 2001
From: PixelyIon <pixelyion@protonmail.com>
Date: Tue, 26 Oct 2021 21:59:47 +0530
Subject: [PATCH] Fix Logger Message OOB Access

Certain titles can submit logs where the last field is one off by the buffer end, the logger loop now considers this and terminates if there isn't enough data left to read the field type and length.
---
 app/src/main/cpp/skyline/services/lm/ILogger.cpp | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/app/src/main/cpp/skyline/services/lm/ILogger.cpp b/app/src/main/cpp/skyline/services/lm/ILogger.cpp
index ec9fd12b..671abd46 100644
--- a/app/src/main/cpp/skyline/services/lm/ILogger.cpp
+++ b/app/src/main/cpp/skyline/services/lm/ILogger.cpp
@@ -8,6 +8,7 @@ namespace skyline::service::lm {
     ILogger::ILogger(const DeviceState &state, ServiceManager &manager) : BaseService(state, manager) {}
 
     Result ILogger::Log(type::KSession &session, ipc::IpcRequest &request, ipc::IpcResponse &response) {
+        auto inputBuffer{request.inputBuf.at(0)};
         struct Data {
             u64 pid;
             u64 threadContext;
@@ -15,7 +16,7 @@ namespace skyline::service::lm {
             LogLevel level;
             u8 verbosity;
             u32 payloadLength;
-        } &data = request.inputBuf.at(0).as<Data>();
+        } &data = inputBuffer.as<Data>();
 
         struct LogMessage {
             std::string_view message;
@@ -30,10 +31,10 @@ namespace skyline::service::lm {
         } logMessage{};
 
         u64 offset{sizeof(Data)};
-        while (offset < request.inputBuf[0].size()) {
-            auto fieldType{request.inputBuf[0].subspan(offset++).as<LogFieldType>()};
-            auto length{request.inputBuf[0].subspan(offset++).as<u8>()};
-            auto object{request.inputBuf[0].subspan(offset, length)};
+        while ((offset + sizeof(LogFieldType) + sizeof(u8)) < inputBuffer.size()) { // The length of the last field sometimes doesn't add up to the buffer size, so we need to terminate the loop when we can't pop the type and length off the buffer
+            auto fieldType{inputBuffer.subspan(offset++).as<LogFieldType>()};
+            auto length{inputBuffer.subspan(offset++).as<u8>()};
+            auto object{inputBuffer.subspan(offset, length)};
 
             switch (fieldType) {
                 case LogFieldType::Start: