edg-l/ddnet
1
0
Fork 0
mirror of https://github.com/ddnet/ddnet.git synced 2024-09-22 02:24:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
ddnet/src/engine/client
History
Robert Müller 3863d41623 Validate snapshot size and member variables and demo snapshots 
Add `CSnapshot::IsValid` to check if a snapshot unpacked from a snapshot delta or demo is valid:
- ensure number of items and data size are not negative
- ensure that the actual size of the snapshot matches the size derived from its member variables
- ensure item offsets are within the valid range
- ensure item sizes are not negative

Add `CSnapshot::TotalSize` and `CSnapshot::OffsetSize` utility functions.

Minor improvements to related error messages.

Fixes buffer overflow:

```
==47744==ERROR: AddressSanitizer: global-buffer-overflow on address 0x558618e3767f at pc 0x558614b9bdfb bp 0x7ffe58a32cd0 sp 0x7ffe58a32cc0
READ of size 4 at 0x558618e3767f thread T0
    0x558614b9bdfa in CSnapshotItem::Type() const src/engine/shared/snapshot.h:16
    0x558615c3c911 in CSnapshot::GetItemType(int) const src/engine/shared/snapshot.cpp:29
    0x558614aebaba in CClient::UnpackAndValidateSnapshot(CSnapshot*, CSnapshot*) src/engine/client/client.cpp:2264
    0x558614af87cb in CClient::OnDemoPlayerSnapshot(void*, int) src/engine/client/client.cpp:2598
    0x558615b9db1a in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:659
    0x558615babd3f in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007
    0x558614afb08b in CClient::Update() src/engine/client/client.cpp:2686
    0x558614b1d9eb in CClient::Run() src/engine/client/client.cpp:3296
    0x558614b8e64f in main src/engine/client/client.cpp:4761
```

And fixes a buffer overflow that manifests itself as an internal ASan error:

```
=================================================================
==4755==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_descriptions.cc:79 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    0x7f0bf5f368be in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:72
    0x7f0bf5f54eee in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cc:77
    0x7f0bf5e4cb6f in GetShadowKind ../../../../src/libsanitizer/asan/asan_descriptions.cc:79
    0x7f0bf5e4cb6f in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cc:95
    0x7f0bf5e4cb6f in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cc:92
    0x7f0bf5e4e386 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) ../../../../src/libsanitizer/asan/asan_descriptions.cc:440
    0x7f0bf5e50e94 in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) ../../../../src/libsanitizer/asan/asan_errors.cc:380
    0x7f0bf5f35f4d in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../src/libsanitizer/asan/asan_report.cc:460
    0x7f0bf5e86f5e in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
    0x558234873f1d in mem_zero src/base/system.cpp:213
    0x55823481fc27 in CSnapshotBuilder::NewItem(int, int, int) src/engine/shared/snapshot.cpp:675
    0x55823481be65 in CSnapshotDelta::UnpackDelta(CSnapshot*, CSnapshot*, void const*, int) src/engine/shared/snapshot.cpp:380
    0x558234776641 in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:631
    0x5582347861a9 in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007
    0x5582336d4c7d in CClient::Update() src/engine/client/client.cpp:2695
    0x5582336f75dd in CClient::Run() src/engine/client/client.cpp:3305
    0x558233768241 in main src/engine/client/client.cpp:4770
```
2022-07-24 18:00:39 +02:00
..
backend Port some code to str_copy() template 2022-07-09 19:40:58 +03:00
backend_sdl.cpp Fix readability-duplicate-include 2022-07-10 21:57:13 +02:00
backend_sdl.h Organize engine-client includes 2022-06-17 17:46:43 +02:00
blocklist_driver.cpp Huge variable naming format 2022-07-08 18:01:29 +02:00
blocklist_driver.h Add Intel as vendor to the block list on windows 2021-05-06 12:23:40 +02:00
checksum.h Add some checksum functions to the client 2022-01-31 21:31:26 +01:00
client.cpp Validate snapshot size and member variables and demo snapshots 2022-07-24 18:00:39 +02:00
client.h Allow multiple connect addresses 2022-07-10 16:57:10 +02:00
demoedit.cpp Port some code to str_copy() template 2022-07-09 19:40:58 +03:00
demoedit.h Mark virtual function as override using a script: 2022-05-17 23:47:32 +02:00
discord.cpp Fix win32 discord compilation 2022-06-24 10:06:04 +02:00
favorites.cpp Rename variable m_aEntries to m_vEntries 2022-07-18 21:43:59 +02:00
friends.cpp Port some code to str_copy() template 2022-07-09 19:40:58 +03:00
friends.h Organize engine-client includes 2022-06-17 17:46:43 +02:00
ghost.cpp Port some code to str_copy() template 2022-07-09 19:40:58 +03:00
ghost.h Port some code to str_copy() template 2022-07-09 19:40:58 +03:00
graphics_defines.h Remove GL includes from headers 2021-05-01 23:56:30 +02:00
graphics_threaded.cpp Warn about pnglite-incompatible PNGs on load 2022-07-14 18:22:46 +02:00
graphics_threaded.h Warn about pnglite-incompatible PNGs on load 2022-07-14 18:22:46 +02:00
input.cpp Fix readability-container-data-pointer 2022-07-10 21:42:57 +02:00
input.h Merge pull request #5453 from Robyt3/Joystick-Close-Before-SDL-Quit 2022-06-20 23:47:59 +02:00
keynames.h Add joystick support to engine 2022-06-13 20:40:36 +02:00
notifications.cpp Emscripten support 2022-03-25 12:42:18 +01:00
notifications.h Libnotify support for linux client (#2099) 2020-04-14 17:53:53 +02:00
serverbrowser.cpp Allow multiple addresses per server in the serverbrowser 2022-07-10 16:52:07 +02:00
serverbrowser.h Allow multiple addresses per server in the serverbrowser 2022-07-10 16:52:07 +02:00
serverbrowser_http.cpp Allow multiple addresses per server in the serverbrowser 2022-07-10 16:52:07 +02:00
serverbrowser_http.h Allow multiple addresses per server in the serverbrowser 2022-07-10 16:52:07 +02:00
serverbrowser_ping_cache.cpp Allow multiple addresses per server in the serverbrowser 2022-07-10 16:52:07 +02:00
serverbrowser_ping_cache.h Allow multiple addresses per server in the serverbrowser 2022-07-10 16:52:07 +02:00
sound.cpp Rename OpusFile to pOpusFile 2022-06-28 17:38:38 +02:00
sound.h Reduce visibility of engine sound members and methods 2022-06-26 22:43:32 +02:00
sqlite.cpp Make use of IO_MAX_PATH_LENGTH 2021-09-13 12:14:50 +02:00
steam.cpp Port some code to str_copy() template 2022-07-09 19:40:58 +03:00
text.cpp Fix readability-container-data-pointer 2022-07-10 21:42:57 +02:00
updater.cpp Port some code to str_copy() template 2022-07-09 19:40:58 +03:00
updater.h Use nullptr in generated and editor 2022-06-13 18:28:13 +02:00
video.cpp Fix compilation in video.cpp 2022-07-10 01:08:33 +02:00
video.h Huge variable naming format 2022-07-08 18:01:29 +02:00