From 523c15e0e7602fcfc5ab6f24c4eb0bfd97d93e4f Mon Sep 17 00:00:00 2001 From: m!nus Date: Fri, 29 Oct 2010 01:28:11 +0200 Subject: [PATCH] added a null pointer check in huffman decompression code. it was possible to crash a masterserver by sending it a packet that had the compression flag (but not the connection-less flag) set because the huffman look up table is not initialized in the masterserver and thus resulted in a null-pointer-node. clients and servers (with initialized look up tables were not affected. it was also not possible to use this to inject code. --- src/engine/shared/huffman.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/engine/shared/huffman.cpp b/src/engine/shared/huffman.cpp index dfa8923a9..446b6003b 100644 --- a/src/engine/shared/huffman.cpp +++ b/src/engine/shared/huffman.cpp @@ -228,6 +228,9 @@ int CHuffman::Decompress(const void *pInput, int InputSize, void *pOutput, int O // {C} load symbol now if we didn't that earlier at location {A} if(!pNode) pNode = m_apDecodeLut[Bits&HUFFMAN_LUTMASK]; + + if(!pNode) + return -1; // {D} check if we hit a symbol already if(pNode->m_NumBits)