ddnet/src/engine/shared/snapshot.h
Robert Müller 3863d41623 Validate snapshot size and member variables and demo snapshots
Add `CSnapshot::IsValid` to check if a snapshot unpacked from a snapshot delta or demo is valid:
- ensure number of items and data size are not negative
- ensure that the actual size of the snapshot matches the size derived from its member variables
- ensure item offsets are within the valid range
- ensure item sizes are not negative

Add `CSnapshot::TotalSize` and `CSnapshot::OffsetSize` utility functions.

Minor improvements to related error messages.

Fixes buffer overflow:

```
==47744==ERROR: AddressSanitizer: global-buffer-overflow on address 0x558618e3767f at pc 0x558614b9bdfb bp 0x7ffe58a32cd0 sp 0x7ffe58a32cc0
READ of size 4 at 0x558618e3767f thread T0
    0x558614b9bdfa in CSnapshotItem::Type() const src/engine/shared/snapshot.h:16
    0x558615c3c911 in CSnapshot::GetItemType(int) const src/engine/shared/snapshot.cpp:29
    0x558614aebaba in CClient::UnpackAndValidateSnapshot(CSnapshot*, CSnapshot*) src/engine/client/client.cpp:2264
    0x558614af87cb in CClient::OnDemoPlayerSnapshot(void*, int) src/engine/client/client.cpp:2598
    0x558615b9db1a in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:659
    0x558615babd3f in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007
    0x558614afb08b in CClient::Update() src/engine/client/client.cpp:2686
    0x558614b1d9eb in CClient::Run() src/engine/client/client.cpp:3296
    0x558614b8e64f in main src/engine/client/client.cpp:4761
```

And fixes a buffer overflow that manifests itself as an internal ASan error:

```
=================================================================
==4755==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/asan/asan_descriptions.cc:79 "((0 && "Address is not in memory and not in shadow?")) != (0)" (0x0, 0x0)
    0x7f0bf5f368be in AsanCheckFailed ../../../../src/libsanitizer/asan/asan_rtl.cc:72
    0x7f0bf5f54eee in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_termination.cc:77
    0x7f0bf5e4cb6f in GetShadowKind ../../../../src/libsanitizer/asan/asan_descriptions.cc:79
    0x7f0bf5e4cb6f in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cc:95
    0x7f0bf5e4cb6f in __asan::GetShadowAddressInformation(unsigned long, __asan::ShadowAddressDescription*) ../../../../src/libsanitizer/asan/asan_descriptions.cc:92
    0x7f0bf5e4e386 in __asan::AddressDescription::AddressDescription(unsigned long, unsigned long, bool) ../../../../src/libsanitizer/asan/asan_descriptions.cc:440
    0x7f0bf5e50e94 in __asan::ErrorGeneric::ErrorGeneric(unsigned int, unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long) ../../../../src/libsanitizer/asan/asan_errors.cc:380
    0x7f0bf5f35f4d in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ../../../../src/libsanitizer/asan/asan_report.cc:460
    0x7f0bf5e86f5e in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
    0x558234873f1d in mem_zero src/base/system.cpp:213
    0x55823481fc27 in CSnapshotBuilder::NewItem(int, int, int) src/engine/shared/snapshot.cpp:675
    0x55823481be65 in CSnapshotDelta::UnpackDelta(CSnapshot*, CSnapshot*, void const*, int) src/engine/shared/snapshot.cpp:380
    0x558234776641 in CDemoPlayer::DoTick() src/engine/shared/demo.cpp:631
    0x5582347861a9 in CDemoPlayer::Update(bool) src/engine/shared/demo.cpp:1007
    0x5582336d4c7d in CClient::Update() src/engine/client/client.cpp:2695
    0x5582336f75dd in CClient::Run() src/engine/client/client.cpp:3305
    0x558233768241 in main src/engine/client/client.cpp:4770
```
2022-07-24 18:00:39 +02:00

170 lines
3.7 KiB
C++

/* (c) Magnus Auvinen. See licence.txt in the root of the distribution for more information. */
/* If you are missing that file, acquire a complete release at teeworlds.com. */
#ifndef ENGINE_SHARED_SNAPSHOT_H
#define ENGINE_SHARED_SNAPSHOT_H
#include <cstddef>
#include <stdint.h>
// CSnapshot
class CSnapshotItem
{
public:
int m_TypeAndID;
int *Data() { return (int *)(this + 1); }
int Type() const { return m_TypeAndID >> 16; }
int ID() const { return m_TypeAndID & 0xffff; }
int Key() const { return m_TypeAndID; }
};
class CSnapshot
{
friend class CSnapshotBuilder;
int m_DataSize;
int m_NumItems;
int *Offsets() const { return (int *)(this + 1); }
char *DataStart() const { return (char *)(Offsets() + m_NumItems); }
size_t OffsetSize() const { return sizeof(int) * m_NumItems; }
size_t TotalSize() const { return sizeof(CSnapshot) + OffsetSize() + m_DataSize; }
public:
enum
{
OFFSET_UUID_TYPE = 0x4000,
MAX_TYPE = 0x7fff,
MAX_ID = 0xffff,
MAX_ITEMS = 1024,
MAX_PARTS = 64,
MAX_SIZE = MAX_PARTS * 1024
};
void Clear()
{
m_DataSize = 0;
m_NumItems = 0;
}
int NumItems() const { return m_NumItems; }
CSnapshotItem *GetItem(int Index) const;
int GetItemSize(int Index) const;
int GetItemIndex(int Key) const;
int GetItemType(int Index) const;
int GetExternalItemType(int InternalType) const;
void *FindItem(int Type, int ID) const;
unsigned Crc();
void DebugDump();
bool IsValid(size_t ActualSize) const;
};
// CSnapshotDelta
class CSnapshotDelta
{
public:
class CData
{
public:
int m_NumDeletedItems;
int m_NumUpdateItems;
int m_NumTempItems; // needed?
int m_aData[1];
};
private:
enum
{
MAX_NETOBJSIZES = 64
};
short m_aItemSizes[MAX_NETOBJSIZES];
int m_aSnapshotDataRate[CSnapshot::MAX_TYPE + 1];
int m_aSnapshotDataUpdates[CSnapshot::MAX_TYPE + 1];
CData m_Empty;
static void UndiffItem(int *pPast, int *pDiff, int *pOut, int Size, int *pDataRate);
public:
static int DiffItem(int *pPast, int *pCurrent, int *pOut, int Size);
CSnapshotDelta();
CSnapshotDelta(const CSnapshotDelta &Old);
int GetDataRate(int Index) const { return m_aSnapshotDataRate[Index]; }
int GetDataUpdates(int Index) const { return m_aSnapshotDataUpdates[Index]; }
void SetStaticsize(int ItemType, int Size);
const CData *EmptyDelta() const;
int CreateDelta(class CSnapshot *pFrom, class CSnapshot *pTo, void *pDstData);
int UnpackDelta(class CSnapshot *pFrom, class CSnapshot *pTo, const void *pSrcData, int DataSize);
};
// CSnapshotStorage
class CSnapshotStorage
{
public:
class CHolder
{
public:
CHolder *m_pPrev;
CHolder *m_pNext;
int64_t m_Tagtime;
int m_Tick;
int m_SnapSize;
int m_AltSnapSize;
CSnapshot *m_pSnap;
CSnapshot *m_pAltSnap;
};
CHolder *m_pFirst;
CHolder *m_pLast;
CSnapshotStorage() { Init(); }
~CSnapshotStorage() { PurgeAll(); }
void Init();
void PurgeAll();
void PurgeUntil(int Tick);
void Add(int Tick, int64_t Tagtime, int DataSize, void *pData, int AltDataSize, void *pAltData);
int Get(int Tick, int64_t *pTagtime, CSnapshot **ppData, CSnapshot **ppAltData);
};
class CSnapshotBuilder
{
enum
{
MAX_EXTENDED_ITEM_TYPES = 64,
};
char m_aData[CSnapshot::MAX_SIZE];
int m_DataSize;
int m_aOffsets[CSnapshot::MAX_ITEMS];
int m_NumItems;
int m_aExtendedItemTypes[MAX_EXTENDED_ITEM_TYPES];
int m_NumExtendedItemTypes;
void AddExtendedItemType(int Index);
int GetExtendedItemTypeIndex(int TypeID);
int GetTypeFromIndex(int Index);
bool m_Sixup;
public:
CSnapshotBuilder();
void Init(bool Sixup = false);
void *NewItem(int Type, int ID, int Size);
CSnapshotItem *GetItem(int Index);
int *GetItemData(int Key);
int Finish(void *pSnapdata);
};
#endif // ENGINE_SNAPSHOT_H