From 7a8208eb2ff78c62d10b27a2ec0a5b13a5b385e2 Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Fri, 6 Dec 2019 23:20:18 +0100 Subject: [PATCH] - fixed out of bounds memory access. --- source/blood/src/globals.cpp | 1 - source/common/filesystem/filesystem.cpp | 2 +- source/common/searchpaths.cpp | 2 +- source/common/utility/m_argv.h | 12 ++++++------ source/common/utility/tarray.h | 5 ++++- 5 files changed, 12 insertions(+), 10 deletions(-) diff --git a/source/blood/src/globals.cpp b/source/blood/src/globals.cpp index a9d70643a..bbfd71188 100644 --- a/source/blood/src/globals.cpp +++ b/source/blood/src/globals.cpp @@ -62,7 +62,6 @@ void _consoleSysMsg(const char* pzFormat, ...) { va_list args; va_start(args, pzFormat); vsprintf(buffer, pzFormat, args); - initprintf("%s(%i): %s\n", _module, _line, buffer); OSD_Printf(OSDTEXT_RED "%s(%i): %s\n", _module, _line, buffer); } diff --git a/source/common/filesystem/filesystem.cpp b/source/common/filesystem/filesystem.cpp index 1a508f6d4..86c819f48 100644 --- a/source/common/filesystem/filesystem.cpp +++ b/source/common/filesystem/filesystem.cpp @@ -482,7 +482,7 @@ int FileSystem::Iterate (const char *name, int *lastlump, ELookupMode lookupmode } lump_p = &FileInfo[*lastlump]; - while (lump_p < &FileInfo[NumEntries]) + while (lump_p <= &FileInfo.Last()) { auto lump = lump_p->lump; if (lump->LumpName[lookupindex] == lname) diff --git a/source/common/searchpaths.cpp b/source/common/searchpaths.cpp index e7cc03255..d7ae77a58 100644 --- a/source/common/searchpaths.cpp +++ b/source/common/searchpaths.cpp @@ -1016,7 +1016,7 @@ TArray GrpScan() for (unsigned i = 0; i < foundGames.Size(); i++) { - for (unsigned j = foundGames.Size(); j > i; j--) + for (unsigned j = foundGames.Size() - 1; j > i; j--) { if (foundGames[i].FileInfo.CRC == foundGames[j].FileInfo.CRC) foundGames.Delete(j); diff --git a/source/common/utility/m_argv.h b/source/common/utility/m_argv.h index 2e822dee7..8684b1fd1 100644 --- a/source/common/utility/m_argv.h +++ b/source/common/utility/m_argv.h @@ -50,28 +50,28 @@ public: iterator begin() { - return &Argv[0]; + return Argv.begin(); } const_iterator begin() const { - return &Argv[0]; + return Argv.begin(); } const_iterator cbegin() const { - return &Argv[0]; + return Argv.begin(); } iterator end() { - return &Argv[Argv.Size()]; + return Argv.end(); } const_iterator end() const { - return &Argv[Argv.Size()]; + return Argv.end(); } const_iterator cend() const { - return &Argv[Argv.Size()]; + return Argv.end(); } FArgs(); diff --git a/source/common/utility/tarray.h b/source/common/utility/tarray.h index 77265ece8..2be5f882a 100644 --- a/source/common/utility/tarray.h +++ b/source/common/utility/tarray.h @@ -237,14 +237,17 @@ public: } return true; } - // Return a reference to an element + // Return a reference to an element. + // Note that the asserts must let the element after the end pass because this gets frequently used as a sentinel pointer. T &operator[] (size_t index) const { + assert(index <= Count); return Array[index]; } // Returns the value of an element TT operator() (size_t index) const { + assert(index <= Count); return Array[index]; } // Returns a reference to the last element