Cronocide/Descent3
1
0
Fork 0
mirror of https://github.com/kevinbentley/Descent3.git synced 2025-01-22 19:55:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Resolve out-of-bounds access in GoalDoFrame for OBJGOAL targets

Browse Source 
Giving off a laser shot in level 1 causes a double OOB.

$GIT/Descent3/AIGoal.cpp:756:57: runtime error: index -1 out of bounds for type 'ai_dynamic_path [50]'
$GIT/Descent3/AIGoal.cpp:756:118: runtime error: index -1 out of bounds for type 'short unsigned int [5]'
=================================================================
==58320==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000003b1f7f8 at pc 0x00000147b414 bp 0x7ffe6fdab4f0 sp 0x7ffe6fdab4e8
READ of size 4 at 0x000003b1f7f8 thread T0
    f0 vm_SubVectors(vector*, vector const*, vector const*) $GIT/vecmat/vector.cpp:180
    f1 vm_VectorDistance(vector const*, vector const*) $GIT/vecmat/vector.cpp:191
    f2 GoalDoFrame(object*) $GIT/Descent3/AIGoal.cpp:755
          float dist = vm_VectorDistance(
              &AIDynamicPath[ai_info->path.num_paths - 1].pos[ai_info->path.path_end_node[ai_info->path.num_paths - 1]],
                                                         ^                                                            ^
              posp);

    f3 AIDoFrame(object*) $GIT/Descent3/AImain.cpp:6212
    f4 ObjDoFrame(object*) $GIT/Descent3/object.cpp:2674
    f5 ObjDoFrameAll() $GIT/Descent3/object.cpp:2988
    f6 GameFrame() $GIT/Descent3/GameLoop.cpp:2980
    f7 GameSequencer() $GIT/Descent3/gamesequence.cpp:1221
    f8 PlayGame() $GIT/Descent3/game.cpp:834
    f9 MainLoop() $GIT/Descent3/descent.cpp:555
    f10 Descent3() $GIT/Descent3/descent.cpp:508
    f11 oeD3LnxApp::run() $GIT/Descent3/sdlmain.cpp:151
    f12 main $GIT/Descent3/sdlmain.cpp:334

0x000003b1f7f8 is located 8 bytes after global variable 'AI_RenderedList' defined in '$GIT/Descent3/AImain.cpp:1628:5' (0x3b1e080) of size 6000
0x000003b1f7f8 is located 40 bytes before global variable 'AI_NumHostileAlert' defined in '$GIT/Descent3/AImain.cpp:1630:5' (0x3b1f820) of size 4
This commit is contained in:
Jan Engelhardt 2024-08-30 01:03:27 +02:00
parent 6d5778d1fb
commit d0826c748f
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Descent3/AIGoal.cpp
View File

@ -752,7 +752,7 @@ void GoalDoFrame(object *obj) {
posp = &goal_obj->pos;
roomnum = goal_obj->roomnum;
float dist = vm_VectorDistance(
float dist = ai_info->path.num_paths == 0 ? 0.0f : vm_VectorDistance(
&AIDynamicPath[ai_info->path.num_paths - 1].pos[ai_info->path.path_end_node[ai_info->path.num_paths - 1]],
posp);