From b9061c84473bc439529b6fe54ac2c8241297c408 Mon Sep 17 00:00:00 2001 From: Zack Middleton Date: Thu, 1 May 2014 20:41:47 -0500 Subject: [PATCH] Fix cg.skulltrails out of bounds access in Team Arena Harvester mode In Team Arena's Harvester mode, players corrupt your memory from beyond the grave. Gib the players to stop the corruption! CG_PlayerTokens is called for player entities, including corpses. The entity number is used for the index in cg.skulltrails which only has MAX_CLIENTS elements. This results in incorrect memory being overwritten for corpse entities (as the entity number is >= MAX_CLIENTS). So limit skull trails to valid entities (entity number < MAX_CLIENTS). --- code/cgame/cg_players.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/code/cgame/cg_players.c b/code/cgame/cg_players.c index 59f52320..9c76aac3 100644 --- a/code/cgame/cg_players.c +++ b/code/cgame/cg_players.c @@ -1774,6 +1774,9 @@ static void CG_PlayerTokens( centity_t *cent, int renderfx ) { refEntity_t ent; vec3_t dir, origin; skulltrail_t *trail; + if ( cent->currentState.number >= MAX_CLIENTS ) { + return; + } trail = &cg.skulltrails[cent->currentState.number]; tokens = cent->currentState.generic1; if ( !tokens ) {