From 49ba9078f5e0a41e27d6f58fafda95d5f6d711d6 Mon Sep 17 00:00:00 2001 From: def Date: Tue, 30 Jun 2020 14:08:55 +0200 Subject: [PATCH] Fix out of bounds read in CPlayer::Snap with IsSixup (fixes #2416) --- src/game/server/player.cpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/game/server/player.cpp b/src/game/server/player.cpp index 85a182396..32d7fb516 100644 --- a/src/game/server/player.cpp +++ b/src/game/server/player.cpp @@ -330,7 +330,7 @@ void CPlayer::Snap(int SnappingClient) if(SnappingClient != m_ClientID && g_Config.m_SvHideScore) Score = -9999; - if(!Server()->IsSixup(SnappingClient)) + if(SnappingClient < 0 || !Server()->IsSixup(SnappingClient)) { CNetObj_PlayerInfo *pPlayerInfo = static_cast(Server()->SnapNewItem(NETOBJTYPE_PLAYERINFO, id, sizeof(CNetObj_PlayerInfo))); if(!pPlayerInfo) @@ -362,7 +362,7 @@ void CPlayer::Snap(int SnappingClient) if(m_ClientID == SnappingClient && (m_Team == TEAM_SPECTATORS || m_Paused)) { - if(!Server()->IsSixup(SnappingClient)) + if(SnappingClient < 0 || !Server()->IsSixup(SnappingClient)) { CNetObj_SpectatorInfo *pSpectatorInfo = static_cast(Server()->SnapNewItem(NETOBJTYPE_SPECTATORINFO, m_ClientID, sizeof(CNetObj_SpectatorInfo))); if(!pSpectatorInfo) @@ -398,7 +398,7 @@ void CPlayer::Snap(int SnappingClient) if(m_Paused == PAUSE_PAUSED) pDDNetPlayer->m_Flags |= EXPLAYERFLAG_PAUSED; - if(Server()->IsSixup(SnappingClient) && m_pCharacter && m_pCharacter->m_DDRaceState == DDRACE_STARTED && + if(SnappingClient >= 0 && Server()->IsSixup(SnappingClient) && m_pCharacter && m_pCharacter->m_DDRaceState == DDRACE_STARTED && GameServer()->m_apPlayers[SnappingClient]->m_TimerType == TIMERTYPE_SIXUP) { protocol7::CNetObj_PlayerInfoRace *pRaceInfo = static_cast(Server()->SnapNewItem(-protocol7::NETOBJTYPE_PLAYERINFORACE, id, sizeof(protocol7::CNetObj_PlayerInfoRace)));