From 6b9ef88816744bdeba553bf4780fe5040082f0ef Mon Sep 17 00:00:00 2001
From: Michael Scire <SciresM@gmail.com>
Date: Tue, 31 Dec 2019 00:19:58 -0800
Subject: [PATCH] sf: fix support for automatic recvlist buffers

---
 .../source/sf/hipc/sf_hipc_server_session_manager.cpp          | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libstratosphere/source/sf/hipc/sf_hipc_server_session_manager.cpp b/libstratosphere/source/sf/hipc/sf_hipc_server_session_manager.cpp
index 5b0a010e..1f2a5ed7 100644
--- a/libstratosphere/source/sf/hipc/sf_hipc_server_session_manager.cpp
+++ b/libstratosphere/source/sf/hipc/sf_hipc_server_session_manager.cpp
@@ -277,7 +277,8 @@ namespace ams::sf::hipc {
         /* Note: Nintendo does not validate this size before subtracting 0x10 from it. This is not exploitable. */
         R_UNLESS(in_raw_size >= 0x10, sf::hipc::ResultInvalidRequestSize());
         R_UNLESS(in_raw_addr + in_raw_size <= in_message_buffer_end, sf::hipc::ResultInvalidRequestSize());
-        const uintptr_t recv_list_end = reinterpret_cast<uintptr_t>(dispatch_ctx.request.data.recv_list + dispatch_ctx.request.meta.num_recv_statics);
+        const size_t recv_list_size = dispatch_ctx.request.meta.num_recv_statics == HIPC_AUTO_RECV_STATIC ? 1 : dispatch_ctx.request.meta.num_recv_statics;
+        const uintptr_t recv_list_end = reinterpret_cast<uintptr_t>(dispatch_ctx.request.data.recv_list + recv_list_size);
         R_UNLESS(recv_list_end <= in_message_buffer_end, sf::hipc::ResultInvalidRequestSize());
 
         /* CMIF has 0x10 of padding in raw data, and requires 0x10 alignment. */