yquake2/yquake2remaster
0
0
Fork 0
mirror of https://github.com/yquake2/yquake2remaster.git synced 2024-11-25 14:00:58 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1061 from DanielGibson/curl-uaf-fix

Browse source 
Fix use-after-free bugs in htttp download code
This commit is contained in:
Yamagi 2023-10-15 18:09:25 +02:00 committed by GitHub
commit 5c642b6a5b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
src/client/curl/download.c
View file

@ -194,7 +194,7 @@ static qboolean CL_RemoveFromQueue(dlqueue_t *entry)
while (cur)
{
if (last->next == entry)
if (cur == entry)
{
last->next = cur->next;
free(cur);
@ -207,7 +207,6 @@ static qboolean CL_RemoveFromQueue(dlqueue_t *entry)
cur = cur->next;
}
return false;
}
@ -517,14 +516,13 @@ static void CL_ParseFileList(dlhandle_t *dl)
*/
static void CL_ReVerifyHTTPQueue (void)
{
dlqueue_t *q = &cls.downloadQueue;
dlqueue_t *q = &cls.downloadQueue.next;
pendingCount = 0;
while (q->next)
while (q)
{
q = q->next;
dlqueue_t *next = q->next;
if (q->state == DLQ_STATE_NOT_STARTED)
{
if (FS_LoadFile (q->quakePath, NULL) != -1)
@ -536,6 +534,7 @@ static void CL_ReVerifyHTTPQueue (void)
pendingCount++;
}
}
q = next;
}
}
@ -1037,16 +1036,15 @@ void CL_CancelHTTPDownloads(qboolean permKill)
abortDownloads = HTTPDL_ABORT_SOFT;
}
dlqueue_t *q = &cls.downloadQueue;
while (q->next)
dlqueue_t *q = &cls.downloadQueue.next;
while (q)
{
q = q->next;
dlqueue_t *next = q->next;
if (q->state == DLQ_STATE_NOT_STARTED)
{
CL_RemoveFromQueue(q);
}
q = next;
}
if (!pendingCount && !handleCount && abortDownloads == HTTPDL_ABORT_HARD)