Fix out-of-bound loop UB (#218)

* avoid ub

* format

* torch

include/PR/controller.h

@@ -9,10 +9,12 @@
 
 #define CHNL_ERR(format) (((format).rxsize & CHNL_ERR_MASK) >> 4)
 
-typedef struct
-{
-    /* 0x0 */ u32 ramarray[15];
+typedef union {
+    struct {
+    /* 0x00 */ u32 ramarray[15];
     /* 0x3C */ u32 pifstatus;
+    };
+    /* 0x00 */ u32 raw[16];
 } OSPifRam;
 
 typedef struct

include/prevent_context_reordering.h

@@ -9,7 +9,7 @@
 // struct Dummy4 {int x;};
 // struct Dummy5 {int x;};
 // struct Dummy6 {int x;};
-struct Dummy7 {int x;};
+// struct Dummy7 {int x;};
 struct Dummy8 {int x;};
 struct Dummy9 {int x;};
 struct Dummy10 {int x;};

src/audio/audio_seqplayer.c

@@ -1390,7 +1390,12 @@ void func_800168BC(void) {
     for (i = 0; i < 48; i++) {
         gSeqChannels[i].seqPlayer = NULL;
         gSeqChannels[i].enabled = false;
-        for (j = 0; j < 64; j++) { // bug: this is sizeof(gSeqLayers) instead of sizeof(gSeqChannels[i].layers)
+#ifdef AVOID_UB
+        for (j = 0; j < ARRAY_COUNT(gSeqChannels->layers); j++) {
+#else
+        for (j = 0; j < 64;
+             j++) { // bug: this is ARRAY_COUNT(gSeqLayers) instead of ARRAY_COUNT(gSeqChannels[i].layers)
+#endif
             gSeqChannels[i].layers[j] = NULL;
         }
     }

src/engine/fox_context.c

@@ -50,7 +50,11 @@ s32 D_ctx_80177B50[7];
 s32 D_ctx_80177B70[7];
 PlanetId D_ctx_80177B90[7];
 s32 D_ctx_80177BB0[7];
+#ifdef AVOID_UB
+s32 D_ctx_80177BD8[24];
+#else
 s32 D_ctx_80177BD8[22]; // overruns gPrevPlanetTeamShields?
+#endif
 s32 gPrevPlanetTeamShields[6];
 s32 D_ctx_80177C58[6];
 u8 gSoundMode;

src/engine/fox_save.c

@@ -68,7 +68,11 @@ s32 Save_Read(void) {
         (void) "ＥＥＰＲＯＭ ＲＯＭ［０］ 正常\n";
         return 0;
     }
+#ifdef AVOID_UB
+    for (i = 0; i < sizeof(SaveData); i++) {
+#else
     for (i = 0; i <= sizeof(SaveData); i++) { // should be <, but gets overwritten immediately.
+#endif
         gSaveFile.save.raw[i] = gSaveFile.backup.raw[i];
     }
     gSaveFile.save.checksum = gSaveFile.backup.checksum;

src/libultra/io/conteepread.c

@@ -30,8 +30,8 @@ s32 osEepromRead(OSMesgQueue* mq, u8 address, u8* buffer) {
     __osPackEepReadData(address);
     ret = __osSiRawStartDma(OS_WRITE, &__osEepPifRam);
     osRecvMesg(mq, NULL, OS_MESG_BLOCK);
-    for (i = 0; i < 0x10; i++) {
-        __osEepPifRam.ramarray[i] = 0xFF;
+    for (i = 0; i < ARRLEN(__osEepPifRam.raw); i++) {
+        __osEepPifRam.raw[i] = CONT_CMD_NOP;
     }
     __osEepPifRam.pifstatus = 0;
     ret = __osSiRawStartDma(OS_READ, &__osEepPifRam);
@@ -53,13 +53,13 @@ s32 osEepromRead(OSMesgQueue* mq, u8 address, u8* buffer) {
 }
 
 void __osPackEepReadData(u8 address) {
-    u8* ptr = (u8*) &__osEepPifRam.ramarray;
+    u8* ptr = (u8*) __osEepPifRam.ramarray;
     __OSContEepromFormat eepromformat;
     int i;
 
 #if BUILD_VERSION < VERSION_J
-    for (i = 0; i < ARRLEN(__osEepPifRam.ramarray) + 1; i++) {
-        __osEepPifRam.ramarray[i] = CONT_CMD_NOP;
+    for (i = 0; i < ARRLEN(__osEepPifRam.raw); i++) {
+        __osEepPifRam.raw[i] = CONT_CMD_NOP;
     }
 #endif
 

src/libultra/io/conteepwrite.c

@@ -7,7 +7,7 @@ void __osPackEepWriteData(u8 address, u8* buffer);
 s32 osEepromWrite(OSMesgQueue* mq, u8 address, u8* buffer) {
     s32 ret = 0;
     int i;
-    u8* ptr = (u8*) &__osEepPifRam.ramarray;
+    u8* ptr = (u8*) __osEepPifRam.ramarray;
     __OSContEepromFormat eepromformat;
     OSContStatus sdata;
 
@@ -31,8 +31,8 @@ s32 osEepromWrite(OSMesgQueue* mq, u8 address, u8* buffer) {
     ret = __osSiRawStartDma(OS_WRITE, &__osEepPifRam);
     osRecvMesg(mq, NULL, OS_MESG_BLOCK);
 
-    for (i = 0; i < 0x10; i++) {
-        __osEepPifRam.ramarray[i] = 255;
+    for (i = 0; i < ARRLEN(__osEepPifRam.raw); i++) {
+        __osEepPifRam.raw[i] = CONT_CMD_NOP;
     }
 
     __osEepPifRam.pifstatus = 0;
@@ -51,13 +51,13 @@ s32 osEepromWrite(OSMesgQueue* mq, u8 address, u8* buffer) {
 }
 
 void __osPackEepWriteData(u8 address, u8* buffer) {
-    u8* ptr = (u8*) &__osEepPifRam.ramarray;
+    u8* ptr = (u8*) __osEepPifRam.ramarray;
     __OSContEepromFormat eepromformat;
     int i;
 
 #if BUILD_VERSION < VERSION_J
-    for (i = 0; i < ARRLEN(__osEepPifRam.ramarray) + 1; i++) {
-        __osEepPifRam.ramarray[i] = CONT_CMD_NOP;
+    for (i = 0; i < ARRLEN(__osEepPifRam.raw); i++) {
+        __osEepPifRam.raw[i] = CONT_CMD_NOP;
     }
 #endif
     __osEepPifRam.pifstatus = CONT_CMD_EXE;
@@ -86,8 +86,8 @@ s32 __osEepStatus(OSMesgQueue* mq, OSContStatus* data) {
     u8* ptr = (u8*) __osEepPifRam.ramarray;
     __OSContRequesFormat requestformat;
 
-    for (i = 0; i < ARRLEN(__osEepPifRam.ramarray) + 1; i++) {
-        __osEepPifRam.ramarray[i] = 0;
+    for (i = 0; i < ARRLEN(__osEepPifRam.raw); i++) {
+        __osEepPifRam.raw[i] = 0;
     }
 
     __osEepPifRam.pifstatus = CONT_CMD_EXE;

src/libultra/io/contramread.c

@@ -139,8 +139,8 @@ static void __osPackRamReadData(int channel, u16 address) {
     ptr = (u8*) __osPfsPifRam.ramarray;
 
 #if BUILD_VERSION < VERSION_I
-    for (i = 0; i < 16; i++) {
-        __osPfsPifRam.ramarray[i] = 0;
+    for (i = 0; i < ARRLEN(__osPfsPifRam.raw); i++) {
+        __osPfsPifRam.raw[i] = 0;
     }
 #endif
 

src/libultra/io/contramwrite.c

@@ -145,8 +145,8 @@ static void __osPackRamWriteData(int channel, u16 address, u8* buffer) {
     ptr = (u8*) __osPfsPifRam.ramarray;
 
 #if BUILD_VERSION < VERSION_I
-    for (i = 0; i < 16; i++) {
-        __osPfsPifRam.ramarray[i] = 0;
+    for (i = 0; i < ARRLEN(__osPfsPifRam.raw); i++) {
+        __osPfsPifRam.raw[i] = 0;
     }
 #endif
 

src/libultra/io/contreaddata.c

@@ -16,8 +16,8 @@ s32 osContStartReadData(OSMesgQueue* mq) {
         osRecvMesg(mq, NULL, OS_MESG_BLOCK);
     }
 
-    for (i = 0; i <= ARRLEN(__osContPifRam.ramarray); i++) {
-        __osContPifRam.ramarray[i] = 0xFF;
+    for (i = 0; i < ARRLEN(__osPfsPifRam.raw); i++) {
+        __osContPifRam.raw[i] = CONT_CMD_NOP;
     }
     __osContPifRam.pifstatus = 0;
 
@@ -52,8 +52,8 @@ static void __osPackReadData(void) {
     __OSContReadFormat readformat;
     int i;
 
-    for (i = 0; i <= ARRLEN(__osContPifRam.ramarray); i++) {
-        __osContPifRam.ramarray[i] = 0;
+    for (i = 0; i < ARRLEN(__osPfsPifRam.raw); i++) {
+        __osContPifRam.raw[i] = 0;
     }
 
     __osContPifRam.pifstatus = CONT_CMD_EXE;

src/libultra/io/controller.c

@@ -76,8 +76,8 @@ void __osPackRequestData(u8 cmd) {
     __OSContRequesFormat requestHeader;
     s32 i;
 
-    for (i = 0; i < 16; i++) {
-        __osContPifRam.ramarray[i] = 0;
+    for (i = 0; i < ARRLEN(__osPfsPifRam.raw); i++) {
+        __osContPifRam.raw[i] = 0;
     }
 
     __osContPifRam.pifstatus = CONT_CMD_READ_BUTTON;

src/libultra/io/pfsisplug.c

@@ -57,8 +57,8 @@ void __osPfsRequestData(u8 cmd) {
     __osContLastCmd = cmd;
 
 #if BUILD_VERSION < VERSION_I
-    for (i = 0; i < 16; i++) {
-        __osPfsPifRam.ramarray[i] = 0;
+    for (i = 0; i < ARRLEN(__osPfsPifRam.raw); i++) {
+        __osPfsPifRam.raw[i] = 0;
     }
     __osPfsPifRam.pifstatus = CONT_CMD_EXE;
 #endif

src/overlays/ovl_i5/fox_ti.c

@@ -40,12 +40,8 @@ s32* D_i5_801BBEF0;
 f32* D_i5_801BBEF4;
 s32* D_i5_801BBEF8;
 UnkStruct_i5_801BBF00 D_i5_801BBF00[67];
-Vec3f D_i5_801BC978[8];
-Vec3f D_i5_801BC9D8[8];
-Vec3f D_i5_801BCA38[76];
-Vec3f D_i5_801BCDC8[8];
-Vec3f D_i5_801BCE28[8];
-Vec3f D_i5_801BCE88[76];
+Vec3f D_i5_801BC978[92];
+Vec3f D_i5_801BCDC8[92];
 Vec3f D_i5_801BD218[92];
 s16 D_i5_801BD668[34];
 f32 D_i5_801BD6B0[34];
@@ -3116,12 +3112,12 @@ void Titania_80192118(Boss* boss) {
             boss->swork[1] = 1;
             break;
         case 1:
-            Animation_GetFrameData(&D_TI_A0002BC, 0, D_i5_801BC978);
-            Animation_GetFrameData(&D_TI_A0002BC, 0, D_i5_801BCDC8);
-            Animation_GetFrameData(&D_TI_A0002BC, 0, D_i5_801BC9D8);
-            Animation_GetFrameData(&D_TI_A0002BC, 0, D_i5_801BCE28);
-            Animation_GetFrameData(&D_TI_A000934, 0, D_i5_801BCA38);
-            Animation_GetFrameData(&D_TI_A000934, 0, D_i5_801BCE88);
+            Animation_GetFrameData(&D_TI_A0002BC, 0, &D_i5_801BC978[0]);
+            Animation_GetFrameData(&D_TI_A0002BC, 0, &D_i5_801BCDC8[0]);
+            Animation_GetFrameData(&D_TI_A0002BC, 0, &D_i5_801BC978[8]);
+            Animation_GetFrameData(&D_TI_A0002BC, 0, &D_i5_801BCDC8[8]);
+            Animation_GetFrameData(&D_TI_A000934, 0, &D_i5_801BC978[16]);
+            Animation_GetFrameData(&D_TI_A000934, 0, &D_i5_801BCDC8[16]);
             if ((gPlayer[0].unk_138 - boss->obj.pos.z) <= 450.0f) {
                 gPlayer[0].unk_19C = -1;
                 gPlayer[0].unk_000 = 0.0f;
@@ -3258,28 +3254,28 @@ void Titania_80192118(Boss* boss) {
             Math_SmoothStepToF(&boss->vel.z, gPlayer[0].vel.z, 0.7f, 1.0f, 0.01f);
             Math_SmoothStepToF(&boss->obj.pos.x, gPlayer[0].pos.x, 0.1f, 6.0f, 0.01f);
             Math_SmoothStepToF(&boss->obj.pos.z, gPlayer[0].unk_138 - 450.0f, 0.1f, 1.0f, 0.01f);
-            Animation_GetFrameData(&D_TI_A000D50, D_i5_801BBEF0[24] >> 1, D_i5_801BCA38);
+            Animation_GetFrameData(&D_TI_A000D50, D_i5_801BBEF0[24] >> 1, &D_i5_801BC978[16]);
 
             switch (D_i5_801BBEF0[39]) {
                 case 0:
-                    Animation_GetFrameData(&D_TI_A000858, D_i5_801BBEF0[22] >> 1, D_i5_801BC978);
+                    Animation_GetFrameData(&D_TI_A000858, D_i5_801BBEF0[22] >> 1, &D_i5_801BC978[0]);
                     break;
                 case 1:
-                    Animation_GetFrameData(&D_TI_A00047C, D_i5_801BBEF0[22] >> 1, D_i5_801BC978);
+                    Animation_GetFrameData(&D_TI_A00047C, D_i5_801BBEF0[22] >> 1, &D_i5_801BC978[0]);
                     break;
             }
 
             switch (D_i5_801BBEF0[40]) {
                 case 0:
-                    Animation_GetFrameData(&D_TI_A000858, D_i5_801BBEF0[23] >> 1, D_i5_801BC9D8);
+                    Animation_GetFrameData(&D_TI_A000858, D_i5_801BBEF0[23] >> 1, &D_i5_801BC978[8]);
                     break;
                 case 1:
-                    Animation_GetFrameData(&D_TI_A00047C, D_i5_801BBEF0[23] >> 1, D_i5_801BC9D8);
+                    Animation_GetFrameData(&D_TI_A00047C, D_i5_801BBEF0[23] >> 1, &D_i5_801BC978[8]);
                     break;
             }
-            Math_SmoothStepToVec3fArray(D_i5_801BC978, D_i5_801BCDC8, 1, 8, 0.5f, 360.0f, 0.01f);
-            Math_SmoothStepToVec3fArray(D_i5_801BC9D8, D_i5_801BCE28, 1, 8, 0.5f, 360.0f, 0.01f);
-            Math_SmoothStepToVec3fArray(D_i5_801BCA38, D_i5_801BCE88, 1, 13, 0.5f, 5.0f, 0.01f);
+            Math_SmoothStepToVec3fArray(&D_i5_801BC978[0], &D_i5_801BCDC8[0], 1, 8, 0.5f, 360.0f, 0.01f);
+            Math_SmoothStepToVec3fArray(&D_i5_801BC978[8], &D_i5_801BCDC8[8], 1, 8, 0.5f, 360.0f, 0.01f);
+            Math_SmoothStepToVec3fArray(&D_i5_801BC978[16], &D_i5_801BCDC8[16], 1, 13, 0.5f, 5.0f, 0.01f);
             D_i5_801BBEF0[24]++;
             D_i5_801BBEF0[22]++;
             D_i5_801BBEF0[23]++;
@@ -3388,13 +3384,13 @@ void Titania_80192118(Boss* boss) {
             break;
         case 4:
             boss->vel.z = gPlayer[0].vel.z;
-            Animation_GetFrameData(&D_TI_8000D80, D_i5_801BBEF0[22] >> 1, D_i5_801BC978);
-            Animation_GetFrameData(&D_TI_8000D80, D_i5_801BBEF0[23] >> 1, D_i5_801BC9D8);
-            Animation_GetFrameData(&D_TI_8000708, D_i5_801BBEF0[24] >> 1, D_i5_801BCA38);
+            Animation_GetFrameData(&D_TI_8000D80, D_i5_801BBEF0[22] >> 1, &D_i5_801BC978[0]);
+            Animation_GetFrameData(&D_TI_8000D80, D_i5_801BBEF0[23] >> 1, &D_i5_801BC978[8]);
+            Animation_GetFrameData(&D_TI_8000708, D_i5_801BBEF0[24] >> 1, &D_i5_801BC978[16]);
             Math_SmoothStepToF(&boss->fwork[0], 0.5f, 0.05f, 0.05f, 0.01f);
-            Math_SmoothStepToVec3fArray(D_i5_801BC978, D_i5_801BCDC8, 1, 8, boss->fwork[0], 360.0f, 0.01f);
-            Math_SmoothStepToVec3fArray(D_i5_801BC9D8, D_i5_801BCE28, 1, 8, boss->fwork[0], 360.0f, 0.01f);
-            Math_SmoothStepToVec3fArray(D_i5_801BCA38, D_i5_801BCE88, 1, 13, boss->fwork[0], 360.0f, 0.01f);
+            Math_SmoothStepToVec3fArray(&D_i5_801BC978[0], &D_i5_801BCDC8[0], 1, 8, boss->fwork[0], 360.0f, 0.01f);
+            Math_SmoothStepToVec3fArray(&D_i5_801BC978[8], &D_i5_801BCDC8[8], 1, 8, boss->fwork[0], 360.0f, 0.01f);
+            Math_SmoothStepToVec3fArray(&D_i5_801BC978[16], &D_i5_801BCDC8[16], 1, 13, boss->fwork[0], 360.0f, 0.01f);
             if (boss->timer_050 <= 120) {
                 if (D_i5_801BBEF0[22] < ((Animation_GetFrameCount(&D_TI_8000D80) * 2) - 1)) {
                     D_i5_801BBEF0[22]++;
@@ -4964,18 +4960,18 @@ void Titania_801982A8(Boss* boss) {
         case 4:
             Matrix_Push(&gGfxMatrix);
             D_i5_801BBEF0[25] = 0;
-            Animation_DrawSkeleton(0, D_TI_A000EDC, D_i5_801BCE88, Titania_8018FC70, Titania_8019002C, boss,
+            Animation_DrawSkeleton(0, D_TI_A000EDC, &D_i5_801BCDC8[16], Titania_8018FC70, Titania_8019002C, boss,
                                    &gIdentityMatrix);
             Matrix_Pop(&gGfxMatrix);
             D_TI_801B83A8[0] = 22.0f;
             Matrix_Push(&gGfxMatrix);
             D_i5_801BBEF0[25] = 1;
-            Animation_DrawSkeleton(0, D_TI_A000568, D_i5_801BCDC8, Titania_801903A0, Titania_8019081C, boss,
+            Animation_DrawSkeleton(0, D_TI_A000568, &D_i5_801BCDC8[0], Titania_801903A0, Titania_8019081C, boss,
                                    &gIdentityMatrix);
             Matrix_Pop(&gGfxMatrix);
             Matrix_Push(&gGfxMatrix);
             D_i5_801BBEF0[25] = 2;
-            Animation_DrawSkeleton(0, D_TI_A000568, D_i5_801BCE28, Titania_801903A0, Titania_8019081C, boss,
+            Animation_DrawSkeleton(0, D_TI_A000568, &D_i5_801BCDC8[8], Titania_801903A0, Titania_8019081C, boss,
                                    &gIdentityMatrix);
             Matrix_Pop(&gGfxMatrix);
             break;

tools/Torch

@@ -1 +1 @@
-Subproject commit 0cb23400b0ea1e443477ca2a764e9e74877c42b8
+Subproject commit a72020cca7f1498f73d42c71e694fd114843fe73