From 60886f389cf55a5046da1c42621709c33432748b Mon Sep 17 00:00:00 2001
From: "alexey.lysiuk" <alexey.lysiuk@gmail.com>
Date: Sat, 29 Aug 2020 13:06:46 +0300
Subject: [PATCH] - fill array of objects with nulls on reserve

When item of object array is reserved but not written, it contains random garbage that is treated as valid pointer by VM and GC

https://forum.zdoom.org/viewtopic.php?t=69703
---
 src/common/scripting/core/dynarrays.cpp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/common/scripting/core/dynarrays.cpp b/src/common/scripting/core/dynarrays.cpp
index 16bb57ca8..eebb97da8 100644
--- a/src/common/scripting/core/dynarrays.cpp
+++ b/src/common/scripting/core/dynarrays.cpp
@@ -121,6 +121,17 @@ template<class T> unsigned int ArrayReserve(T *self, int amount)
 	return self->Reserve(amount);
 }
 
+template<> unsigned int ArrayReserve(TArray<DObject*> *self, int amount)
+{
+	const unsigned int oldSize = self->Reserve(amount);
+	const unsigned int fillCount = self->Size() - oldSize;
+
+	if (fillCount > 0)
+		memset(&(*self)[oldSize], 0, sizeof(DObject*) * fillCount);
+	
+	return oldSize;
+}
+
 template<class T> int ArrayMax(T *self)
 {
 	return self->Max();
@@ -908,7 +919,7 @@ DEFINE_ACTION_FUNCTION_NATIVE(FDynArray_Obj, Reserve, ArrayReserve<FDynArray_Obj
 {
 	PARAM_SELF_STRUCT_PROLOGUE(FDynArray_Obj);
 	PARAM_INT(count);
-	ACTION_RETURN_INT(self->Reserve(count));
+	ACTION_RETURN_INT(ArrayReserve(self, count));
 }
 
 DEFINE_ACTION_FUNCTION_NATIVE(FDynArray_Obj, Max, ArrayMax<FDynArray_Obj>)