From 03d22045ad15ba64e6a4751fa119f83de0c33407 Mon Sep 17 00:00:00 2001 From: SiemensSchuckert <35631785+SiemensSchuckert@users.noreply.github.com> Date: Wed, 4 Dec 2024 18:51:47 +0300 Subject: [PATCH 1/2] fix HTTP download crash (on empty file) when empty filelist downloaded from HTTP server, CL_ParseFileList() uses unallocated buffer for strchr() segfault happens: 0 __strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:65 1 0x00007ffff743de2c in __interceptor_strchr (s=0x0, c=) at ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:705 2 0x000055555566d7f8 in CL_ParseFileList (dl=0x55555587a178 ) at src/client/curl/download.c:484 3 0x000055555566e26c in CL_FinishHTTPDownload () at src/client/curl/download.c:670 --- src/client/curl/download.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/client/curl/download.c b/src/client/curl/download.c index 6e9d79f3..393f0b9f 100644 --- a/src/client/curl/download.c +++ b/src/client/curl/download.c @@ -264,6 +264,9 @@ static void CL_StartHTTPDownload (dlqueue_t *entry, dlhandle_t *dl) } // Make sure that the download handle is in empty state. + if (dl->tempBuffer) { + free(dl->tempBuffer); + } dl->tempBuffer = NULL; dl->fileSize = 0; dl->position = 0; @@ -477,6 +480,10 @@ static void CL_ParseFileList(dlhandle_t *dl) return; } + if (!dl->tempBuffer) { + return; + } + char *list = dl->tempBuffer; for (;;) From 4cb319216f522f8320e19dcc23fe43b1bf8d55e3 Mon Sep 17 00:00:00 2001 From: SiemensSchuckert <35631785+SiemensSchuckert@users.noreply.github.com> Date: Wed, 4 Dec 2024 18:54:45 +0300 Subject: [PATCH 2/2] fix HTTP download crash (on 404) change parameter type to match CURL lib (prevents crash on HTTP download) example test server: q2.bot.nu:27912 server config: set sv_downloadserver "https://quake2.pages.dev/" map DEBEQUA2 Client connects, and three files added to queue: HTTP download: /.filelist - Queued HTTP download: /maps/DEBEQUA2.filelist - Queued HTTP download: maps/DEBEQUA2.bsp - Queued from URL: https://quake2.pages.dev/.filelist - no file https://quake2.pages.dev/maps/DEBEQUA2.filelist - no file https://quake2.pages.dev/maps/DEBEQUA2.bsp - exists when 404 response received for '.filelist' file, CL_HTTP_Recv() is called and uses wrong file length in malloc() one of tests: ==43024==ERROR: AddressSanitizer: requested allocation size 0x8000000000000000 (0x8000000000001000 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0) 0 0x7ffff74b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 1 0x55555566b023 in CL_HTTP_Recv src/client/curl/download.c:98 2 0x7fffcbcc257a (/lib/x86_64-linux-gnu/libcurl.so.4+0x5157a) --- src/client/curl/download.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/client/curl/download.c b/src/client/curl/download.c index 6e9d79f3..1f262cce 100644 --- a/src/client/curl/download.c +++ b/src/client/curl/download.c @@ -81,7 +81,7 @@ static size_t CL_HTTP_Recv(void *ptr, size_t size, size_t nmemb, void *stream) if (!dl->fileSize) { - double length = 0; + curl_off_t length = 0; qcurl_easy_getinfo(dl->curl, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T, &length);