From 0175562e1fa2e225ef838cd7ef2cfdbcd6f1143b Mon Sep 17 00:00:00 2001 From: helixhorned Date: Fri, 24 Feb 2012 19:51:54 +0000 Subject: [PATCH] Do bound check for "quick" sector/wall accesses from CON, i.e. in getvarvar. This was causing oob sector accesses with code like this: getwall[hitwall].nextsector temp ifvarvare sector[temp].floorz sector[temp].ceilingz setvar tempb 1 (from DT's HYPERCORE). Also validate quote indices passed to CON's quote and userquote commands at runtime. git-svn-id: https://svn.eduke32.com/eduke32@2381 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/source/gameexec.c | 14 +++++++++ polymer/eduke32/source/gamevars.c | 48 ++++++++++++++++++++++++++++--- 2 files changed, 58 insertions(+), 4 deletions(-) diff --git a/polymer/eduke32/source/gameexec.c b/polymer/eduke32/source/gameexec.c index 4b5e69f14..d8d398d08 100644 --- a/polymer/eduke32/source/gameexec.c +++ b/polymer/eduke32/source/gameexec.c @@ -4748,6 +4748,13 @@ nullquote: case CON_QUOTE: insptr++; + if ((unsigned)(*insptr) >= MAXQUOTES) + { + OSD_Printf(CON_ERROR "invalid quote ID %d\n",g_errorLineNum,keyw[g_tw],(int32_t)(*insptr)); + insptr++; + continue; + } + if ((ScriptQuotes[*insptr] == NULL)) { OSD_Printf(CON_ERROR "null quote %d\n",g_errorLineNum,keyw[g_tw],(int32_t)*insptr); @@ -4770,6 +4777,13 @@ nullquote: { int32_t i=Gv_GetVarX(*insptr++); + if ((unsigned)i >= MAXQUOTES) + { + OSD_Printf(CON_ERROR "invalid quote ID %d\n",g_errorLineNum,keyw[g_tw],i); + insptr++; + continue; + } + if ((ScriptQuotes[i] == NULL)) { OSD_Printf(CON_ERROR "null quote %d\n",g_errorLineNum,keyw[g_tw],i); diff --git a/polymer/eduke32/source/gamevars.c b/polymer/eduke32/source/gamevars.c index 55298f29f..7b25fa733 100644 --- a/polymer/eduke32/source/gamevars.c +++ b/polymer/eduke32/source/gamevars.c @@ -613,8 +613,20 @@ int32_t __fastcall Gv_GetVar(register int32_t id, register int32_t iActor, regis return ((Gv_GetVar(*insptr++, index, iPlayer) ^ -negateResult) + negateResult); case 1: //else if (id == g_iSectorVarID) if (index == vm.g_i) index = sprite[vm.g_i].sectnum; + if ((unsigned)index >= MAXSECTORS) + { + iPlayer = index; + insptr++; + goto badsector; + } return ((VM_AccessSectorX(index, *insptr++) ^ -negateResult) + negateResult); case 2: //else if (id == g_iWallVarID) + if ((unsigned)index >= MAXWALLS) + { + iPlayer = index; + insptr++; + goto badwall; + } return ((VM_AccessWallX(index, *insptr++) ^ -negateResult) + negateResult); default: goto wtf; @@ -667,6 +679,14 @@ badsprite: OSD_Printf(CON_ERROR "Gv_GetVar(): invalid sprite ID %d\n",g_errorLineNum,keyw[g_tw], iPlayer); return -1; +badsector: + OSD_Printf(CON_ERROR "Gv_GetVar(): invalid sector ID %d\n",g_errorLineNum,keyw[g_tw], iPlayer); + return -1; + +badwall: + OSD_Printf(CON_ERROR "Gv_GetVar(): invalid wall ID %d\n",g_errorLineNum,keyw[g_tw], iPlayer); + return -1; + wtf: OSD_Printf(CON_ERROR "Gv_GetVar(): WTF?\n",g_errorLineNum,keyw[g_tw]); return -1; @@ -787,8 +807,20 @@ int32_t __fastcall Gv_GetVarX(register int32_t id) return ((Gv_GetVar(*insptr++, index, vm.g_p) ^ -negateResult) + negateResult); case 1: //else if (id == g_iSectorVarID) if (index == vm.g_i) index = sprite[vm.g_i].sectnum; + if ((unsigned)index >= MAXSECTORS) + { + id = index; + insptr++; + goto badsector; + } return ((VM_AccessSectorX(index, *insptr++) ^ -negateResult) + negateResult); case 2: //else if (id == g_iWallVarID) + if ((unsigned)index >= MAXWALLS) + { + id = index; + insptr++; + goto badwall; + } return ((VM_AccessWallX(index, *insptr++) ^ -negateResult) + negateResult); default: goto wtf; @@ -823,19 +855,27 @@ int32_t __fastcall Gv_GetVarX(register int32_t id) } badindex: - OSD_Printf(CON_ERROR "Gv_GetVar(): invalid array index (%s[%d])\n",g_errorLineNum,keyw[g_tw],aGameArrays[id].szLabel,(int32_t)negateResult); + OSD_Printf(CON_ERROR "Gv_GetVarX(): invalid array index (%s[%d])\n",g_errorLineNum,keyw[g_tw],aGameArrays[id].szLabel,(int32_t)negateResult); return -1; badvarid: - OSD_Printf(CON_ERROR "Gv_GetVar(): invalid gamevar ID (%d)\n",g_errorLineNum,keyw[g_tw],id); + OSD_Printf(CON_ERROR "Gv_GetVarX(): invalid gamevar ID (%d)\n",g_errorLineNum,keyw[g_tw],id); return -1; badplayer: - OSD_Printf(CON_ERROR "Gv_GetVar(): invalid player ID %d\n",g_errorLineNum,keyw[g_tw], id); + OSD_Printf(CON_ERROR "Gv_GetVarX(): invalid player ID %d\n",g_errorLineNum,keyw[g_tw], id); return -1; badsprite: - OSD_Printf(CON_ERROR "Gv_GetVar(): invalid sprite ID %d\n",g_errorLineNum,keyw[g_tw], id); + OSD_Printf(CON_ERROR "Gv_GetVarX(): invalid sprite ID %d\n",g_errorLineNum,keyw[g_tw], id); + return -1; + +badsector: + OSD_Printf(CON_ERROR "Gv_GetVarX(): invalid sector ID %d\n",g_errorLineNum,keyw[g_tw], id); + return -1; + +badwall: + OSD_Printf(CON_ERROR "Gv_GetVarX(): invalid wall ID %d\n",g_errorLineNum,keyw[g_tw], id); return -1; wtf: