UNLOZE/sourcemod
10
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix out of bounds write in CDataPack::Write*Array (#1554)

Browse Source 
WriteCellArray and WriteFloatArray were allocating N+1 slots, but due to
a copy-paste error were writing N+2 slots. Much later in the process the
CRT would catch this and cause a crash - this was pretty painful to
debug but thankfully running SRCDS in CRT debug mode caught it much
sooner in CDataPack::RemoveItem.
This commit is contained in:
Asher Baker 2021-07-28 22:19:16 +01:00 committed by GitHub
parent b3672916de
commit c6917296d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core/logic/CDataPack.cpp
View File

@ -116,7 +116,7 @@ void CDataPack::PackCellArray(cell_t const *vals, cell_t count)
val.type = CDataPackType::CellArray; val.type = CDataPackType::CellArray;
val.pData.aval = new cell_t [count + 1]; val.pData.aval = new cell_t [count + 1];
memcpy(&val.pData.aval[1], vals, sizeof(cell_t) * (count + 1)); memcpy(&val.pData.aval[1], vals, sizeof(cell_t) * count);
val.pData.aval[0] = count; val.pData.aval[0] = count;
elements.emplace(elements.begin() + position, val); elements.emplace(elements.begin() + position, val);
position++; position++;
@ -128,7 +128,7 @@ void CDataPack::PackFloatArray(cell_t const *vals, cell_t count)
val.type = CDataPackType::FloatArray; val.type = CDataPackType::FloatArray;
val.pData.aval = new cell_t [count + 1]; val.pData.aval = new cell_t [count + 1];
memcpy(&val.pData.aval[1], vals, sizeof(cell_t) * (count + 1)); memcpy(&val.pData.aval[1], vals, sizeof(cell_t) * count);
val.pData.aval[0] = count; val.pData.aval[0] = count;
elements.emplace(elements.begin() + position, val); elements.emplace(elements.begin() + position, val);
position++; position++;
@ -294,7 +294,7 @@ bool CDataPack::RemoveItem(size_t pos)
case CDataPackType::CellArray: case CDataPackType::CellArray:
case CDataPackType::FloatArray: case CDataPackType::FloatArray:
{ {
delete elements[pos].pData.aval; delete [] elements[pos].pData.aval;
break; break;
} }
} }