R5Reloaded/r5sdk
1
0
Fork 0
mirror of https://github.com/Mauler125/r5sdk.git synced 2025-02-09 19:15:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Engine: fix underflow vulnerability in CL_CopyNewEntity

Browse Source 
Code only checked upper bounds, this patch adds an additional lower bounds check.
This commit is contained in:
Kawe Mazidjatari 2024-11-24 12:05:49 +01:00
parent 2128b0ad04
commit ab0ec34e80
2 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/engine/client/cl_ents_parse.cpp
View File

@ -9,6 +9,21 @@
#include "engine/host.h"
#include "engine/client/cl_ents_parse.h"
bool CL_CopyNewEntity(CEntityReadInfo* const u, unsigned int* const iClass, const int iSerialNum, bool* const pbError)
{
// Similar to the issue in CL_CopyExistingEntity,
// except, only the lower bounds check was missing.
if (u->m_nNewEntity < NULL || u->m_nNewEntity >= MAX_EDICTS)
{
Host_Error("CL_CopyNewEntity: u.m_nNewEntity < 0 || u.m_nNewEntity >= MAX_EDICTS");
*pbError = true;
return false;
}
return v_CL_CopyNewEntity(u, iClass, iSerialNum, pbError);
}
bool CL_CopyExistingEntity(CEntityReadInfo* const u, unsigned int* const iClass, bool* const pbError)
{
if (u->m_nNewEntity < NULL || u->m_nNewEntity >= MAX_EDICTS)

5
src/engine/client/cl_ents_parse.h
View File

@ -2,24 +2,29 @@
#define CL_ENTS_PARSE_H
#include "engine/shared/ents_shared.h"
inline bool(*v_CL_CopyNewEntity)(CEntityReadInfo* const u, unsigned int* const iClass, const int iSerialNum, bool* const pbError);
inline bool(*v_CL_CopyExistingEntity)(CEntityReadInfo* const u, unsigned int* const iClass, bool* const pbError);
bool CL_CopyNewEntity(CEntityReadInfo* const u, unsigned int* const iClass, const int iSerialNum, bool* const pbError);
bool CL_CopyExistingEntity(CEntityReadInfo* const u, unsigned int* const iClass, bool* const pbError);
///////////////////////////////////////////////////////////////////////////////
class V_CL_Ents_Parse : public IDetour
{
virtual void GetAdr(void) const
{
LogFunAdr("CL_CopyNewEntity", v_CL_CopyExistingEntity);
LogFunAdr("CL_CopyExistingEntity", v_CL_CopyExistingEntity);
}
virtual void GetFun(void) const
{
g_GameDll.FindPatternSIMD("40 55 53 41 54 41 55 41 57 48 8D AC 24").GetPtr(v_CL_CopyNewEntity);
g_GameDll.FindPatternSIMD("40 53 48 83 EC 70 4C 63 51 28").GetPtr(v_CL_CopyExistingEntity);
}
virtual void GetVar(void) const { }
virtual void GetCon(void) const { }
virtual void Detour(const bool bAttach) const
{
DetourSetup(&v_CL_CopyNewEntity, &CL_CopyNewEntity, bAttach);
DetourSetup(&v_CL_CopyExistingEntity, &CL_CopyExistingEntity, bAttach);
}
};