mirror of
https://github.com/ddnet/ddnet.git
synced 2024-09-22 02:24:17 +00:00
3863d41623
Add `CSnapshot::IsValid` to check if a snapshot unpacked from a snapshot delta or demo is valid: - ensure number of items and data size are not negative - ensure that the actual size of the snapshot matches the size derived from its member variables - ensure item offsets are within the valid range - ensure item sizes are not negative Add `CSnapshot::TotalSize` and `CSnapshot::OffsetSize` utility functions. Minor improvements to related error messages. Fixes buffer overflow: ``` ==47744==ERROR: AddressSanitizer: global-buffer-overflow on address 0x558618e3767f at pc 0x558614b9bdfb bp 0x7ffe58a32cd0 sp 0x7ffe58a32cc0 READ of size 4 at 0x558618e3767f thread T0 0x558614b9bdfa in CSnapshotItem::Type() const src/engine/shared/snapshot.h:16 0x558615c3c911 in CSnapshot::GetItemType(int) const src/engine/shared/snapshot.cpp:29 0x558614aebaba in CClient::UnpackAndValidateSnapshot(CSnapshot*, CSnapshot*) src/engine/client/client.cpp:2264 0x558614af87cb in CClient::OnDemoPlayerSnapshot(void*, int) src/engine/client/client.cpp:2598 0x558615b9db1a in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:659 0x558615babd3f in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007 0x558614afb08b in CClient::Update() src/engine/client/client.cpp:2686 0x558614b1d9eb in CClient::Run() src/engine/client/client.cpp:3296 0x558614b8e64f in main src/engine/client/client.cpp:4761 ``` And fixes a buffer overflow that manifests itself as an internal ASan error: ``` ================================================================= ==4755==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_descriptions.cc:79 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0) 0x7f0bf5f368be in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:72 0x7f0bf5f54eee in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cc:77 0x7f0bf5e4cb6f in GetShadowKind ../../../../src/libsanitizer/asan/asan_descriptions.cc:79 0x7f0bf5e4cb6f in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cc:95 0x7f0bf5e4cb6f in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cc:92 0x7f0bf5e4e386 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) ../../../../src/libsanitizer/asan/asan_descriptions.cc:440 0x7f0bf5e50e94 in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) ../../../../src/libsanitizer/asan/asan_errors.cc:380 0x7f0bf5f35f4d in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../src/libsanitizer/asan/asan_report.cc:460 0x7f0bf5e86f5e in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 0x558234873f1d in mem_zero src/base/system.cpp:213 0x55823481fc27 in CSnapshotBuilder::NewItem(int, int, int) src/engine/shared/snapshot.cpp:675 0x55823481be65 in CSnapshotDelta::UnpackDelta(CSnapshot*, CSnapshot*, void const*, int) src/engine/shared/snapshot.cpp:380 0x558234776641 in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:631 0x5582347861a9 in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007 0x5582336d4c7d in CClient::Update() src/engine/client/client.cpp:2695 0x5582336f75dd in CClient::Run() src/engine/client/client.cpp:3305 0x558233768241 in main src/engine/client/client.cpp:4770 ``` |
||
---|---|---|
.. | ||
backend | ||
backend_sdl.cpp | ||
backend_sdl.h | ||
blocklist_driver.cpp | ||
blocklist_driver.h | ||
checksum.h | ||
client.cpp | ||
client.h | ||
demoedit.cpp | ||
demoedit.h | ||
discord.cpp | ||
favorites.cpp | ||
friends.cpp | ||
friends.h | ||
ghost.cpp | ||
ghost.h | ||
graphics_defines.h | ||
graphics_threaded.cpp | ||
graphics_threaded.h | ||
input.cpp | ||
input.h | ||
keynames.h | ||
notifications.cpp | ||
notifications.h | ||
serverbrowser.cpp | ||
serverbrowser.h | ||
serverbrowser_http.cpp | ||
serverbrowser_http.h | ||
serverbrowser_ping_cache.cpp | ||
serverbrowser_ping_cache.h | ||
sound.cpp | ||
sound.h | ||
sqlite.cpp | ||
steam.cpp | ||
text.cpp | ||
updater.cpp | ||
updater.h | ||
video.cpp | ||
video.h |