From d5116913d674c937aad49d51230b34ea2a77eb69 Mon Sep 17 00:00:00 2001
From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com>
Date: Wed, 16 Oct 2024 19:43:17 +0200
Subject: [PATCH] Recast: fix heap buffer overflow during link remap [ASAN]

Polyrefs may become invalid as we remove dead polygons and reindex the remainders. If the polyref is invalid, skip the link as it will be thrown out anyways. Issue was found using address sanitizer on level mp_rr_desertlands_64k_x_64k.
---
 src/thirdparty/recast/Detour/Source/DetourNavMeshBuilder.cpp | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/thirdparty/recast/Detour/Source/DetourNavMeshBuilder.cpp b/src/thirdparty/recast/Detour/Source/DetourNavMeshBuilder.cpp
index 6963a2dd..196e8c74 100644
--- a/src/thirdparty/recast/Detour/Source/DetourNavMeshBuilder.cpp
+++ b/src/thirdparty/recast/Detour/Source/DetourNavMeshBuilder.cpp
@@ -1647,6 +1647,9 @@ bool dtUpdateNavMeshData(dtNavMesh* nav, const unsigned int tileIndex)
 					if (it != tileIndex)
 						continue;
 
+					if (salt != tile->salt || ip >= (unsigned int)header->polyCount)
+						continue;
+
 					const dtPolyRef newRef = (polyRefBase | (dtPolyRef)newPolyIdMap[ip]);
 					neiLink.ref = newRef;