From 064753591f984e259a78c16e0e16446f25c48d74 Mon Sep 17 00:00:00 2001 From: Eric Wasylishen Date: Fri, 12 Jun 2015 02:26:10 +0000 Subject: [PATCH] gl_model.c: Mod_LoadTextures: avoid crash on broken maps such as jam2_tronyn.bsp or kellbase1.bsp, where we try to read texture pixel data past the end of the texture lump (crashing because the textue lump is the last thing in the .bsp file buffer). This would only hapen on OS X or Linux (perhaps just luck or windows is more leniant about reading ~40 bytes past the end of a malloc). Note this will only handle cases where the lump size is recorded as being too small, we will still crash if the bsp file itself is truncated since there are generally no checks against the whole .bsp file buffer size. FYI, the corruption in jam2_tronyn.bsp was caused by a bug in tyrutils which is fixed now: http://disenchant.net/git/?p=tyrutils&a=commit&h=5111c5485c96918b937843715f9b8f51f263e40e Not sure about kellbase1.bsp (quoth). git-svn-id: svn://svn.code.sf.net/p/quakespasm/code/trunk/quakespasm@1228 af15c1b1-3010-417e-b628-4374ebc0bcbd --- Quake/gl_model.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Quake/gl_model.c b/Quake/gl_model.c index a3d89329..dedeaefa 100644 --- a/Quake/gl_model.c +++ b/Quake/gl_model.c @@ -442,6 +442,16 @@ void Mod_LoadTextures (lump_t *l) for (j=0 ; joffsets[j] = mt->offsets[j] + sizeof(texture_t) - sizeof(miptex_t); // the pixels immediately follow the structures + + // ericw -- check for pixels extending past the end of the lump. + // appears in the wild; e.g. jam2_tronyn.bsp (func_mapjam2), + // kellbase1.bsp (quoth), and can lead to a segfault if we read past + // the end of the .bsp file buffer + if (((byte*)(mt+1) + pixels) > (mod_base + l->fileofs + l->filelen)) + { + Con_DPrintf("Texture %s extends past end of lump\n", mt->name); + pixels = q_max(0, (mod_base + l->fileofs + l->filelen) - (byte*)(mt+1)); + } memcpy ( tx+1, mt+1, pixels); tx->update_warp = false; //johnfitz