From 476a912b3faebbd2d70fe8ef11ff6f112eaf3deb Mon Sep 17 00:00:00 2001
From: def <dennis@felsin9.de>
Date: Sat, 10 Oct 2020 23:39:13 +0200
Subject: [PATCH] Fix CRaceDemo + CGhost out of bounds access

    #0 0x9f70dd in CRaceDemo::OnMessage(int, void*) src/game/client/components/race_demo.cpp:134
    #1 0xab81af in CGameClient::OnMessage(int, CUnpacker*, bool) src/game/client/gameclient.cpp:823
    #2 0x50ff76 in CClient::ProcessServerPacket(CNetChunk*) src/engine/client/client.cpp:2100
    #3 0x51bf62 in CClient::PumpNetwork() src/engine/client/client.cpp:2580
    #4 0x526b56 in CClient::Update() src/engine/client/client.cpp:2856
    #5 0x5333e4 in CClient::Run() src/engine/client/client.cpp:3237
    #6 0x557fda in main src/engine/client/client.cpp:4341
    #7 0x7f55e8c75cc9 in __libc_start_main ../csu/libc-start.c:308
    #8 0x433e29 in _start (build/DDNet+0x433e29)

src/game/client/components/ghost.cpp:600:35: runtime error: index -1 out of bounds for type 'CGameClient::CClientData [64]'
    #0 0x78201a in CGhost::OnMessage(int, void*) src/game/client/components/ghost.cpp:600
    #1 0xab81af in CGameClient::OnMessage(int, CUnpacker*, bool) src/game/client/gameclient.cpp:823
    #2 0x50ff76 in CClient::ProcessServerPacket(CNetChunk*) src/engine/client/client.cpp:2100
    #3 0x51bf62 in CClient::PumpNetwork() src/engine/client/client.cpp:2580
    #4 0x526b56 in CClient::Update() src/engine/client/client.cpp:2856
    #5 0x5333e4 in CClient::Run() src/engine/client/client.cpp:3237
    #6 0x557fda in main src/engine/client/client.cpp:4341
    #7 0x7f55e8c75cc9 in __libc_start_main ../csu/libc-start.c:308
    #8 0x433e29 in _start (build/DDNet+0x433e29)
---
 src/game/client/components/ghost.cpp     | 2 +-
 src/game/client/components/race_demo.cpp | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/game/client/components/ghost.cpp b/src/game/client/components/ghost.cpp
index c4d65f08d..a9891817d 100644
--- a/src/game/client/components/ghost.cpp
+++ b/src/game/client/components/ghost.cpp
@@ -597,7 +597,7 @@ void CGhost::OnMessage(int MsgType, void *pRawMsg)
 		{
 			char aName[MAX_NAME_LENGTH];
 			int Time = CRaceHelper::TimeFromFinishMessage(pMsg->m_pMessage, aName, sizeof(aName));
-			if(Time > 0 && str_comp(aName, m_pClient->m_aClients[m_pClient->m_Snap.m_LocalClientID].m_aName) == 0)
+			if(Time > 0 && m_pClient->m_Snap.m_LocalClientID >= 0 && str_comp(aName, m_pClient->m_aClients[m_pClient->m_Snap.m_LocalClientID].m_aName) == 0)
 			{
 				StopRecord(Time);
 				StopRender();
diff --git a/src/game/client/components/race_demo.cpp b/src/game/client/components/race_demo.cpp
index 94b5ad188..fd8af3417 100644
--- a/src/game/client/components/race_demo.cpp
+++ b/src/game/client/components/race_demo.cpp
@@ -131,7 +131,7 @@ void CRaceDemo::OnMessage(int MsgType, void *pRawMsg)
 		{
 			char aName[MAX_NAME_LENGTH];
 			int Time = CRaceHelper::TimeFromFinishMessage(pMsg->m_pMessage, aName, sizeof(aName));
-			if(Time > 0 && str_comp(aName, m_pClient->m_aClients[m_pClient->m_Snap.m_LocalClientID].m_aName) == 0)
+			if(Time > 0 && m_pClient->m_Snap.m_LocalClientID >= 0 && str_comp(aName, m_pClient->m_aClients[m_pClient->m_Snap.m_LocalClientID].m_aName) == 0)
 			{
 				m_RaceState = RACE_FINISHED;
 				m_RecordStopTick = Client()->GameTick(g_Config.m_ClDummy) + Client()->GameTickSpeed();