R5Reloaded/r5sdk
1
0
Fork 0
mirror of https://github.com/Mauler125/r5sdk.git synced 2025-02-09 19:15:03 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug in vulnerability patch

Browse Source 
Value should be treated as unsigned, else negative values could still be used to read outside the static buffer.
This commit is contained in:
Kawe Mazidjatari 2023-05-30 20:24:52 +02:00
parent 46fafef60c
commit c2799ff68c
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
r5dev/resource/patch/r5apex.patch
View File

@ -72,6 +72,6 @@
0x12944E3: "test eax, eax" // Existing NULL check, moved here due to overwrite caused by long jmp.
0x12944E5: "je 0x1412950F0" // Conditional jump to rebuild of overwritten instruction.
0x12944E7: "cmp eax, 0x28" // Check if array index does NOT exceed size; max = 0x27 (this check was missing).
0x12944EA: "jl 0x14030E951" // Conditional jump to original code that indexes into userinfo cvar string array.
0x12944EA: "jb 0x14030E951" // Conditional jump to original code that indexes into userinfo cvar string array.
0x12944F0: "mov r8d, 0x104" // Rebuid of overwritten instruction caused by long jump to code cave.
0x12944F6: "jmp 0x14030E933" // Jump to original code past the user info cvar array indexing.