From 0b0fdc5c58b5db6efe08c83036844ca646bfb32b Mon Sep 17 00:00:00 2001
From: Michael Scire <SciresM@gmail.com>
Date: Tue, 31 Dec 2019 00:19:58 -0800
Subject: [PATCH] sf: fix support for automatic recvlist buffers

---
 .../source/sf/hipc/sf_hipc_server_session_manager.cpp          | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libraries/libstratosphere/source/sf/hipc/sf_hipc_server_session_manager.cpp b/libraries/libstratosphere/source/sf/hipc/sf_hipc_server_session_manager.cpp
index 5b0a010e2..1f2a5ed73 100644
--- a/libraries/libstratosphere/source/sf/hipc/sf_hipc_server_session_manager.cpp
+++ b/libraries/libstratosphere/source/sf/hipc/sf_hipc_server_session_manager.cpp
@@ -277,7 +277,8 @@ namespace ams::sf::hipc {
         /* Note: Nintendo does not validate this size before subtracting 0x10 from it. This is not exploitable. */
         R_UNLESS(in_raw_size >= 0x10, sf::hipc::ResultInvalidRequestSize());
         R_UNLESS(in_raw_addr + in_raw_size <= in_message_buffer_end, sf::hipc::ResultInvalidRequestSize());
-        const uintptr_t recv_list_end = reinterpret_cast<uintptr_t>(dispatch_ctx.request.data.recv_list + dispatch_ctx.request.meta.num_recv_statics);
+        const size_t recv_list_size = dispatch_ctx.request.meta.num_recv_statics == HIPC_AUTO_RECV_STATIC ? 1 : dispatch_ctx.request.meta.num_recv_statics;
+        const uintptr_t recv_list_end = reinterpret_cast<uintptr_t>(dispatch_ctx.request.data.recv_list + recv_list_size);
         R_UNLESS(recv_list_end <= in_message_buffer_end, sf::hipc::ResultInvalidRequestSize());
 
         /* CMIF has 0x10 of padding in raw data, and requires 0x10 alignment. */