CVE-2026-39199

An attacker crafts a malicious .ups patch file that encodes arbitrarily large offset values via `XPSdecode`. The patching logic in `memmap.cpp:3942` automatically searches for a .ups file matching the ROM filename and applies it without prompting the user [ref_id=1]. Simply placing the malicious .ups file alongside a ROM (e.g., in a downloaded ROM pack or shared directory) is enough to trigger the vulnerability. The loop writes out-of-bounds on `Memory.ROM`, corrupting adjacent heap memory and causing a crash.

The vulnerability resides in the UPS patching routine in `memmap.cpp` (prior to commit 96b3661). The patch application loop accumulates a relative offset from values decoded out of the patch data and uses it to XOR bytes directly into `Memory.ROM` without validating that `relative` stays within the allocated buffer size.

The advisory does not include a patch diff, but notes that the fix is in commit 96b3661 [ref_id=1]. The root cause is that while the function checks `out_size <= CMemory::MAX_ROM_SIZE` at line 3636, it never validates that the `relative` offset stays within `out_size` (or `MAX_ROM_SIZE`) during the XOR loop. A proper fix would add a bounds check before writing `Memory.ROM[relative++] ^= x` to ensure `relative` does not exceed the allocated buffer.