From ea4d31c26da2962d70df3ad8cb6a5e01b9c3bb45 Mon Sep 17 00:00:00 2001
From: Kawe Mazidjatari <48657826+Mauler125@users.noreply.github.com>
Date: Thu, 13 Jun 2024 15:52:03 +0200
Subject: [PATCH] VScript: fix buffer overflow vulnerability in
 SQClass::NewSlot()

Assembly patch in game executable to implement the fix from commit https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98 - patch has been tested and confirmed working.
---
 src/resource/patch/r5apex.patch | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/resource/patch/r5apex.patch b/src/resource/patch/r5apex.patch
index ed57e30c..0e57d4f2 100644
--- a/src/resource/patch/r5apex.patch
+++ b/src/resource/patch/r5apex.patch
@@ -116,3 +116,18 @@
 // original code...
 0x12944EE: "mov r8d, 0x104"
 0x12944F4: "jmp 0x14030E933"
+
+// This fixes a vulnerability in which the SQClass' '_members' buffer could overrun due to a missing check for current member count in the class.
+// This has been patched on the Squirrel repo in commit: https://github.com/albertodemichelis/squirrel/commit/23a0620658714b996d20da3d4dd1a0dcf9b0bd98
+0x1067595: "jmp 0x1412950F9"                  // Jump to code cave (alignment padding at end of executable segment).
+0x12944F9: "mov rcx, qword ptr ds:[rbx+0x40]" // Load "SQClass::_members" into RCX (unused stack register in current compound block).
+                                              // NOTE: 'this' ptr has been mov'd to a non-volatile register due to a function call in previous block.
+0x12944FD: "mov eax, dword ptr ds:[rcx+0x54]" // Load "SQTable::_usednodes" into EAX (unused stack register in current compound block).
+                                              // NOTE: inline 'SQTable::CountUsed()'
+0x1294500: "cmp eax, 0xFFFFFF"                // Compare 'this->_members->_usednodes' against constant 'MEMBER_MAX_COUNT'.
+0x1294505: "jge 0x141295112"                  // Short jump to FAIL block (if 'this->_members->_usednodes' equals or exceeds MEMBER_MAX_COUNT).
+0x1294507: "mov ecx, dword ptr ds:[rsi]"      // Restored code overwritten by long jump patch at 0x1067595.
+0x1294509: "mov rdi, qword ptr ss:[rbp-0x38]" // Restored code overwritten by long jump patch at 0x1067595.
+0x129450D: "jmp 0x14106819B"                  // Jump to original code (if 'this->_members->_usednodes' is lower than MEMBER_MAX_COUNT).
+0x1294512: "xor bl, bl"                       // Mark failure
+0x1294514: "jmp 0x141068429"                  // Jump to return gadget which releases temporary handles, and loads BL into RAX to be returned.