From f2393a2e34b7e822a0d2e62d0991c2e78ed1a8b5 Mon Sep 17 00:00:00 2001 From: Denis Pauk Date: Wed, 4 Oct 2023 00:24:12 +0300 Subject: [PATCH] Fix load mguhub Need dynamic allocation and additional checks for array sizes, looks like overflow in mgu4m3, mgu5m2. --- README.md | 8 ++++---- src/client/refresh/files/models.c | 4 ++-- src/client/refresh/gl1/gl1_model.c | 4 ++-- src/client/refresh/gl1/header/local.h | 2 +- src/client/refresh/gl3/gl3_model.c | 4 ++-- src/client/refresh/soft/sw_model.c | 4 ++-- src/client/refresh/vk/header/local.h | 2 +- src/client/refresh/vk/vk_model.c | 4 ++-- src/common/collision.c | 9 +++++++-- src/common/header/files.h | 16 ++++++++-------- 10 files changed, 31 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 0cb53b29..2c9e30a9 100644 --- a/README.md +++ b/README.md @@ -119,7 +119,7 @@ Map state: | maps/mgu1trial.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu2m1.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu2m2.bsp | N/A | N/A | N/A | N/A | N/A | - | maps/mgu2m3.bsp | N/A | N/A | N/A | N/A | N/A | + | maps/mgu2m3.bsp | B | N/A | N/A | ML | N/A | | maps/mgu3m1.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu3m2.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu3m3.bsp | N/A | N/A | N/A | N/A | N/A | @@ -127,10 +127,10 @@ Map state: | maps/mgu3secret.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu4m1.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu4m2.bsp | N/A | N/A | N/A | N/A | N/A | - | maps/mgu4m3.bsp | N/A | N/A | N/A | N/A | N/A | + | maps/mgu4m3.bsp | B | N/A | N/A | B | N/A | | maps/mgu4trial.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu5m1.bsp | N/A | N/A | N/A | N/A | N/A | - | maps/mgu5m2.bsp | N/A | N/A | N/A | N/A | N/A | + | maps/mgu5m2.bsp | B | N/A | N/A | B | N/A | | maps/mgu5m3.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu5trial.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu6m1.bsp | N/A | N/A | N/A | N/A | N/A | @@ -138,7 +138,7 @@ Map state: | maps/mgu6m3.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mgu6trial.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mguboss.bsp | N/A | N/A | N/A | N/A | N/A | - | maps/mguhub.bsp | G | G | B | G | G | + | maps/mguhub.bsp | ML | G | B | ML | ML | | maps/mine1.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mine2.bsp | N/A | N/A | N/A | N/A | N/A | | maps/mine3.bsp | N/A | N/A | N/A | N/A | N/A | diff --git a/src/client/refresh/files/models.c b/src/client/refresh/files/models.c index 26f403a8..de1d00df 100644 --- a/src/client/refresh/files/models.c +++ b/src/client/refresh/files/models.c @@ -1488,7 +1488,7 @@ Mod_LoadNodes(const char *name, cplane_t *planes, int numplanes, mleaf_t *leafs, Mod_SetParent(*nodes, NULL); /* sets nodes and leafs */ numvisleafs = 0; - Mod_NumberLeafs (leafs, *nodes, r_leaftovis, r_vistoleaf, &numvisleafs); + Mod_NumberLeafs(leafs, *nodes, r_leaftovis, r_vistoleaf, &numvisleafs); } /* @@ -1575,7 +1575,7 @@ Mod_LoadQNodes(const char *name, cplane_t *planes, int numplanes, mleaf_t *leafs Mod_SetParent(*nodes, NULL); /* sets nodes and leafs */ numvisleafs = 0; - Mod_NumberLeafs (leafs, *nodes, r_leaftovis, r_vistoleaf, &numvisleafs); + Mod_NumberLeafs(leafs, *nodes, r_leaftovis, r_vistoleaf, &numvisleafs); } /* diff --git a/src/client/refresh/gl1/gl1_model.c b/src/client/refresh/gl1/gl1_model.c index c536beaf..60a57a38 100644 --- a/src/client/refresh/gl1/gl1_model.c +++ b/src/client/refresh/gl1/gl1_model.c @@ -791,8 +791,8 @@ Mod_LoadQLeafs(model_t *loadmodel, const byte *mod_base, const lump_t *l) out->area = LittleLong(in->area); // make unsigned long from signed short - firstleafface = LittleLong(in->firstleafface) & 0xFFFF; - out->nummarksurfaces = LittleLong(in->numleaffaces) & 0xFFFF; + firstleafface = LittleLong(in->firstleafface) & 0xFFFFFFFF; + out->nummarksurfaces = LittleLong(in->numleaffaces) & 0xFFFFFFFF; out->firstmarksurface = loadmodel->marksurfaces + firstleafface; if ((firstleafface + out->nummarksurfaces) > loadmodel->nummarksurfaces) diff --git a/src/client/refresh/gl1/header/local.h b/src/client/refresh/gl1/header/local.h index ac4fe82b..36ab23de 100644 --- a/src/client/refresh/gl1/header/local.h +++ b/src/client/refresh/gl1/header/local.h @@ -67,7 +67,7 @@ #define REF_VERSION "Yamagi Quake II OpenGL Refresher" #define BACKFACE_EPSILON 0.01 #define LIGHTMAP_BYTES 4 -#define MAX_LIGHTMAPS 128 +#define MAX_LIGHTMAPS 256 #define GL_LIGHTMAP_FORMAT GL_RGBA /* up / down */ diff --git a/src/client/refresh/gl3/gl3_model.c b/src/client/refresh/gl3/gl3_model.c index ecad3a9f..61c0750e 100644 --- a/src/client/refresh/gl3/gl3_model.c +++ b/src/client/refresh/gl3/gl3_model.c @@ -716,8 +716,8 @@ Mod_LoadQLeafs(gl3model_t *loadmodel, const byte *mod_base, const lump_t *l) out->area = LittleLong(in->area); // make unsigned long from signed short - firstleafface = LittleLong(in->firstleafface) & 0xFFFF; - out->nummarksurfaces = LittleLong(in->numleaffaces) & 0xFFFF; + firstleafface = LittleLong(in->firstleafface) & 0xFFFFFFFF; + out->nummarksurfaces = LittleLong(in->numleaffaces) & 0xFFFFFFFF; out->firstmarksurface = loadmodel->marksurfaces + firstleafface; if ((firstleafface + out->nummarksurfaces) > loadmodel->nummarksurfaces) diff --git a/src/client/refresh/soft/sw_model.c b/src/client/refresh/soft/sw_model.c index 75701f71..9f5ecc93 100644 --- a/src/client/refresh/soft/sw_model.c +++ b/src/client/refresh/soft/sw_model.c @@ -579,8 +579,8 @@ Mod_LoadQLeafs(model_t *loadmodel, const byte *mod_base, const lump_t *l) out->area = LittleLong(in->area); // make unsigned long from signed short - firstleafface = LittleLong(in->firstleafface) & 0xFFFF; - out->nummarksurfaces = LittleLong(in->numleaffaces) & 0xFFFF; + firstleafface = LittleLong(in->firstleafface) & 0xFFFFFFFF; + out->nummarksurfaces = LittleLong(in->numleaffaces) & 0xFFFFFFFF; out->firstmarksurface = loadmodel->marksurfaces + firstleafface; if ((firstleafface + out->nummarksurfaces) > loadmodel->nummarksurfaces) diff --git a/src/client/refresh/vk/header/local.h b/src/client/refresh/vk/header/local.h index 82871596..4fcaf144 100644 --- a/src/client/refresh/vk/header/local.h +++ b/src/client/refresh/vk/header/local.h @@ -295,7 +295,7 @@ typedef struct uint32_t triangle_index_count; } vkconfig_t; -#define MAX_LIGHTMAPS 128 +#define MAX_LIGHTMAPS 256 #define DYNLIGHTMAP_OFFSET MAX_LIGHTMAPS typedef struct diff --git a/src/client/refresh/vk/vk_model.c b/src/client/refresh/vk/vk_model.c index cb085876..249ce1c0 100644 --- a/src/client/refresh/vk/vk_model.c +++ b/src/client/refresh/vk/vk_model.c @@ -761,8 +761,8 @@ Mod_LoadQLeafs(model_t *loadmodel, const byte *mod_base, const lump_t *l) out->area = LittleLong(in->area); // make unsigned long from signed short - firstleafface = LittleLong(in->firstleafface) & 0xFFFF; - out->nummarksurfaces = LittleLong(in->numleaffaces) & 0xFFFF; + firstleafface = LittleLong(in->firstleafface) & 0xFFFFFFFF; + out->nummarksurfaces = LittleLong(in->numleaffaces) & 0xFFFFFFFF; out->firstmarksurface = loadmodel->marksurfaces + firstleafface; if ((firstleafface + out->nummarksurfaces) > loadmodel->nummarksurfaces) diff --git a/src/common/collision.c b/src/common/collision.c index d083d7fc..99fee5dc 100644 --- a/src/common/collision.c +++ b/src/common/collision.c @@ -812,6 +812,11 @@ CM_TraceToLeaf(int leafnum) /* trace line against all brushes in the leaf */ for (k = 0; k < leaf->numleafbrushes; k++) { + if (leaf->firstleafbrush + k > MAX_MAP_LEAFBRUSHES) + { + Com_Error(ERR_FATAL, "%s: broken leaf!\n", __func__); + } + brushnum = map_leafbrushes[leaf->firstleafbrush + k]; b = &map_brushes[brushnum]; @@ -1484,8 +1489,8 @@ CMod_LoadQLeafs(lump_t *l) out->contents = LittleLong(in->contents); out->cluster = LittleLong(in->cluster); out->area = LittleLong(in->area); - out->firstleafbrush = LittleFloat(in->firstleafbrush); - out->numleafbrushes = LittleFloat(in->numleafbrushes); + out->firstleafbrush = LittleLong(in->firstleafbrush); + out->numleafbrushes = LittleLong(in->numleafbrushes); if (out->cluster >= numclusters) { diff --git a/src/common/header/files.h b/src/common/header/files.h index 71dcace0..8a1afb87 100644 --- a/src/common/header/files.h +++ b/src/common/header/files.h @@ -355,13 +355,13 @@ typedef struct { #define BSPVERSION 38 #define BSPDKMVERSION 41 -/* upper design bounds: leaffaces, leafbrushes, planes, and +/* upper design bounds: leaffaces, leafbrushes, planes, and * verts are still bounded by 16 bit short limits */ #define MAX_MAP_MODELS 1024 #define MAX_MAP_BRUSHES 16384 #define MAX_MAP_ENTITIES 2048 #define MAX_MAP_ENTSTRING 0x40000 -#define MAX_MAP_TEXINFO 32768 +#define MAX_MAP_TEXINFO 65536 #define MAX_MAP_AREAS 256 #define MAX_MAP_AREAPORTALS 1024 @@ -372,12 +372,12 @@ typedef struct { #define MAX_MAP_VERTS 65536 #define MAX_MAP_FACES 65536 #define MAX_MAP_LEAFFACES 65536 -#define MAX_MAP_LEAFBRUSHES 65536 +#define MAX_MAP_LEAFBRUSHES 131072 #define MAX_MAP_PORTALS 65536 #define MAX_MAP_EDGES 128000 #define MAX_MAP_SURFEDGES 256000 #define MAX_MAP_LIGHTING 0x200000 -#define MAX_MAP_VISIBILITY 0x200000 +#define MAX_MAP_VISIBILITY 0x400000 /* key / value pair sizes */ @@ -534,12 +534,12 @@ typedef struct texinfo_s { float vecs[2][4]; /* [s/t][xyz offset] */ int flags; /* miptex flags + overrides light emission, etc */ - int value; + int value; char texture[32]; /* texture name (textures*.wal) */ int nexttexinfo; /* for animations, -1 = end of chain */ } texinfo_t; -/* note that edge 0 is never used, because negative edge +/* note that edge 0 is never used, because negative edge nums are used for counterclockwise use of the edge in a face */ typedef struct @@ -644,8 +644,8 @@ typedef struct #define ANGLE_UP -1 #define ANGLE_DOWN -2 -/* the visibility lump consists of a header with a count, then - * byte offsets for the PVS and PHS of each cluster, then the raw +/* the visibility lump consists of a header with a count, then + * byte offsets for the PVS and PHS of each cluster, then the raw * compressed bit vectors */ #define DVIS_PVS 0 #define DVIS_PHS 1