From 2103e40448159d6a6d479ada79dd876228be07e7 Mon Sep 17 00:00:00 2001
From: yellows8 <yellows8@users.noreply.github.com>
Date: Sat, 3 Feb 2018 21:06:23 -0500
Subject: [PATCH] Better argdata validation.

---
 nx/source/runtime/argv.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/nx/source/runtime/argv.c b/nx/source/runtime/argv.c
index 67250003..5fd3f7c3 100644
--- a/nx/source/runtime/argv.c
+++ b/nx/source/runtime/argv.c
@@ -20,8 +20,8 @@ void argvSetup(void)
 
     u8 *argdata = (u8*)&__argdata__;
     u32 *arg32 = (u32*)argdata;
-    u32 argdata_allocsize;
-    u32 argdata_strsize;
+    u64 argdata_allocsize;
+    u64 argdata_strsize;
     u32 argvptr_pos;
     u32 max_argv;
     u32 argi;
@@ -35,6 +35,7 @@ void argvSetup(void)
     __system_argc = 0;
     __system_argv = NULL;
 
+    memset(&meminfo, 0, sizeof(meminfo));
     rc = svcQueryMemory(&meminfo, &pageinfo, (u64)argdata);
 
     // TODO: Use envHasArgv() here.
@@ -43,12 +44,15 @@ void argvSetup(void)
     if (R_FAILED(rc) || meminfo.perm != 0x3)
         return;
 
-    argdata_allocsize = arg32[0];
-    argdata_strsize = arg32[1];
+    argdata_allocsize = (u64)arg32[0];
+    argdata_strsize = (u64)arg32[1];
     args = (char*)&argdata[0x20];
 
     if (argdata_allocsize==0 || argdata_strsize==0) return;
 
+    if ((u64)argdata < meminfo.addr) return;
+    if (((u64)argdata - meminfo.addr) + argdata_allocsize > meminfo.size) return;
+
     argvptr_pos = 0x20 + argdata_strsize+1;
     if (argvptr_pos >= argdata_allocsize) return;
     argstorage = (char*)&argdata[argvptr_pos];