From c6917296d3fd63608a97b47ba10914fcf295254e Mon Sep 17 00:00:00 2001
From: Asher Baker <asherkin@limetech.io>
Date: Wed, 28 Jul 2021 22:19:16 +0100
Subject: [PATCH] Fix out of bounds write in CDataPack::Write*Array (#1554)

WriteCellArray and WriteFloatArray were allocating N+1 slots, but due to
a copy-paste error were writing N+2 slots. Much later in the process the
CRT would catch this and cause a crash - this was pretty painful to
debug but thankfully running SRCDS in CRT debug mode caught it much
sooner in CDataPack::RemoveItem.
---
 core/logic/CDataPack.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/core/logic/CDataPack.cpp b/core/logic/CDataPack.cpp
index 81363839..1b531bff 100644
--- a/core/logic/CDataPack.cpp
+++ b/core/logic/CDataPack.cpp
@@ -116,7 +116,7 @@ void CDataPack::PackCellArray(cell_t const *vals, cell_t count)
 	val.type = CDataPackType::CellArray;
 
 	val.pData.aval = new cell_t [count + 1];
-	memcpy(&val.pData.aval[1], vals, sizeof(cell_t) * (count + 1));
+	memcpy(&val.pData.aval[1], vals, sizeof(cell_t) * count);
 	val.pData.aval[0] = count;
 	elements.emplace(elements.begin() + position, val);
 	position++;
@@ -128,7 +128,7 @@ void CDataPack::PackFloatArray(cell_t const *vals, cell_t count)
 	val.type = CDataPackType::FloatArray;
 
 	val.pData.aval = new cell_t [count + 1];
-	memcpy(&val.pData.aval[1], vals, sizeof(cell_t) * (count + 1));
+	memcpy(&val.pData.aval[1], vals, sizeof(cell_t) * count);
 	val.pData.aval[0] = count;
 	elements.emplace(elements.begin() + position, val);
 	position++;
@@ -294,7 +294,7 @@ bool CDataPack::RemoveItem(size_t pos)
 		case CDataPackType::CellArray:
 		case CDataPackType::FloatArray:
 		{
-			delete elements[pos].pData.aval;
+			delete [] elements[pos].pData.aval;
 			break;
 		}
 	}