edg-l/ddnet
1
0
Fork 0
mirror of https://github.com/ddnet/ddnet.git synced 2024-11-18 22:18:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix out of bounds access in snapshot delta handling

Browse source
This commit is contained in:
Redix 2020-10-11 18:14:12 +02:00
parent ea1acfd22c
commit d172286c6c
2 changed files with 15 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/engine/shared/snapshot.cpp
View file

@ -189,6 +189,8 @@ CSnapshotDelta::CSnapshotDelta(const CSnapshotDelta &old)
void CSnapshotDelta::SetStaticsize(int ItemType, int Size) void CSnapshotDelta::SetStaticsize(int ItemType, int Size)
{ {
if(ItemType < 0 || ItemType >= MAX_NETOBJSIZES)
return;
m_aItemSizes[ItemType] = Size; m_aItemSizes[ItemType] = Size;
} }
@ -248,20 +250,22 @@ int CSnapshotDelta::CreateDelta(CSnapshot *pFrom, CSnapshot *pTo, void *pDstData
pCurItem = pTo->GetItem(i); // O(1) .. O(n) pCurItem = pTo->GetItem(i); // O(1) .. O(n)
PastIndex = aPastIndices[i]; PastIndex = aPastIndices[i];
bool IncludeSize = pCurItem->Type() >= MAX_NETOBJSIZES || !m_aItemSizes[pCurItem->Type()];
if(PastIndex != -1) if(PastIndex != -1)
{ {
int *pItemDataDst = pData + 3; int *pItemDataDst = pData + 3;
pPastItem = pFrom->GetItem(PastIndex); pPastItem = pFrom->GetItem(PastIndex);
if(m_aItemSizes[pCurItem->Type()]) if(!IncludeSize)
pItemDataDst = pData + 2; pItemDataDst = pData + 2;
if(DiffItem(pPastItem->Data(), pCurItem->Data(), pItemDataDst, ItemSize / 4)) if(DiffItem(pPastItem->Data(), pCurItem->Data(), pItemDataDst, ItemSize / 4))
{ {
*pData++ = pCurItem->Type(); *pData++ = pCurItem->Type();
*pData++ = pCurItem->ID(); *pData++ = pCurItem->ID();
if(!m_aItemSizes[pCurItem->Type()]) if(IncludeSize)
*pData++ = ItemSize / 4; *pData++ = ItemSize / 4;
pData += ItemSize / 4; pData += ItemSize / 4;
pDelta->m_NumUpdateItems++; pDelta->m_NumUpdateItems++;
@ -271,7 +275,7 @@ int CSnapshotDelta::CreateDelta(CSnapshot *pFrom, CSnapshot *pTo, void *pDstData
{ {
*pData++ = pCurItem->Type(); *pData++ = pCurItem->Type();
*pData++ = pCurItem->ID(); *pData++ = pCurItem->ID();
if(!m_aItemSizes[pCurItem->Type()]) if(IncludeSize)
*pData++ = ItemSize / 4; *pData++ = ItemSize / 4;
mem_copy(pData, pCurItem->Data(), ItemSize); mem_copy(pData, pCurItem->Data(), ItemSize);
@ -368,8 +372,10 @@ int CSnapshotDelta::UnpackDelta(CSnapshot *pFrom, CSnapshot *pTo, void *pSrcData
return -1; return -1;
Type = *pData++; Type = *pData++;
if(Type < 0)
return -1;
ID = *pData++; ID = *pData++;
if((unsigned int)Type < sizeof(m_aItemSizes) / sizeof(m_aItemSizes[0]) && m_aItemSizes[Type]) if(Type < MAX_NETOBJSIZES && m_aItemSizes[Type])
ItemSize = m_aItemSizes[Type]; ItemSize = m_aItemSizes[Type];
else else
{ {

7
src/engine/shared/snapshot.h
View file

@ -67,8 +67,11 @@ public:
}; };
private: private:
// TODO: strange arbitrary number enum
short m_aItemSizes[64]; {
MAX_NETOBJSIZES = 64
};
short m_aItemSizes[MAX_NETOBJSIZES];
int m_aSnapshotDataRate[0xffff]; int m_aSnapshotDataRate[0xffff];
int m_aSnapshotDataUpdates[0xffff]; int m_aSnapshotDataUpdates[0xffff];
int m_SnapshotCurrent; int m_SnapshotCurrent;