From 952a7232294f4eb5dfb7b558377d5bc8f32c7c9a Mon Sep 17 00:00:00 2001 From: helixhorned Date: Sat, 7 Feb 2015 17:29:11 +0000 Subject: [PATCH] Make g_player a +1 offset pointer into 'static g_player_s[1 + MAXPLAYER]'. This fixes the out-of-bounds read of former g_player[] in VM_EventCommon_(). git-svn-id: https://svn.eduke32.com/eduke32@4961 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/build/src/engine.c | 12 ++--- polymer/eduke32/source/global.h | 65 ++++++++++++++---------- polymer/eduke32/source/lunatic/defs.ilua | 2 +- polymer/eduke32/source/player.h | 2 +- 4 files changed, 44 insertions(+), 37 deletions(-) diff --git a/polymer/eduke32/build/src/engine.c b/polymer/eduke32/build/src/engine.c index f0e342c0d..d5d915972 100644 --- a/polymer/eduke32/build/src/engine.c +++ b/polymer/eduke32/build/src/engine.c @@ -9079,17 +9079,15 @@ static int32_t preinitcalled = 0; // #define DYNALLOC_ARRAYS -#ifndef DYNALLOC_ARRAYS -# if !defined DEBUG_MAIN_ARRAYS +#ifdef DYNALLOC_ARRAYS +void *blockptr = NULL; +#elif !defined DEBUG_MAIN_ARRAYS static spriteext_t spriteext_s[MAXSPRITES+MAXUNIQHUDID]; static spritesmooth_t spritesmooth_s[MAXSPRITES+MAXUNIQHUDID]; static sectortype sector_s[MAXSECTORS + M32_FIXME_SECTORS]; static walltype wall_s[MAXWALLS + M32_FIXME_WALLS]; static spritetype sprite_s[MAXSPRITES]; static tspritetype tsprite_s[MAXSPRITESONSCREEN]; -# endif -#else -void *blockptr = NULL; #endif int32_t preinitengine(void) @@ -9142,15 +9140,13 @@ int32_t preinitengine(void) } } -#else -# if !defined DEBUG_MAIN_ARRAYS +#elif !defined DEBUG_MAIN_ARRAYS sector = sector_s; wall = wall_s; sprite = sprite_s; tsprite = tsprite_s; spriteext = spriteext_s; spritesmooth = spritesmooth_s; -# endif #endif if ((e = Bgetenv("BUILD_NOP6")) != NULL) diff --git a/polymer/eduke32/source/global.h b/polymer/eduke32/source/global.h index eadb4e9ac..40e75353e 100644 --- a/polymer/eduke32/source/global.h +++ b/polymer/eduke32/source/global.h @@ -112,11 +112,22 @@ G_EXTERN intptr_t *g_scriptPtr; G_EXTERN int32_t *labelcode,*labeltype; G_EXTERN intptr_t *script; G_EXTERN map_t MapInfo[(MAXVOLUMES+1)*MAXLEVELS]; // +1 volume for "intro", "briefing" and "loading" music + +// XXX: I think this pragma pack is meaningless here. +// MSDN (https://msdn.microsoft.com/en-us/library/2e70t5y1%28VS.80%29.aspx) says: +// "pack takes effect at the first struct, union, or class declaration after +// the pragma is seen; pack has no effect on definitions." #pragma pack(push,1) -G_EXTERN playerdata_t g_player[MAXPLAYERS]; +#ifdef global_c_ +static playerdata_t g_player_s[1 + MAXPLAYERS]; +playerdata_t *const g_player = &g_player_s[1]; +#else +extern playerdata_t *const g_player; +#endif G_EXTERN playerspawn_t g_playerSpawnPoints[MAXPLAYERS]; G_EXTERN input_t inputfifo[MOVEFIFOSIZ][MAXPLAYERS]; #pragma pack(pop) + G_EXTERN projectile_t ProjectileData[MAXTILES]; G_EXTERN projectile_t SpriteProjectile[MAXSPRITES]; G_EXTERN sound_t g_sounds[MAXSOUNDS]; @@ -129,32 +140,32 @@ G_EXTERN int32_t g_screenCapture; G_EXTERN int32_t g_noEnemies; #ifndef global_c_ -G_EXTERN const char *s_buildDate; -G_EXTERN int32_t g_spriteGravity; -G_EXTERN int16_t g_spriteDeleteQueueSize; -G_EXTERN char EpisodeNames[MAXVOLUMES][33]; -G_EXTERN char SkillNames[MAXSKILLS][33]; -G_EXTERN char GametypeNames[MAXGAMETYPES][33]; -G_EXTERN int32_t GametypeFlags[MAXGAMETYPES]; -G_EXTERN char g_numGametypes; -G_EXTERN char g_numVolumes; -G_EXTERN int32_t g_timerTicsPerSecond; -G_EXTERN int32_t g_actorRespawnTime; -G_EXTERN int32_t g_itemRespawnTime; -G_EXTERN int32_t g_scriptSize; -G_EXTERN int16_t BlimpSpawnSprites[15]; -G_EXTERN int32_t g_playerFriction; -G_EXTERN int32_t g_numFreezeBounces; -G_EXTERN int32_t g_lastSaveSlot; -G_EXTERN int32_t g_rpgBlastRadius; -G_EXTERN int32_t g_pipebombBlastRadius; -G_EXTERN int32_t g_tripbombBlastRadius; -G_EXTERN int32_t g_shrinkerBlastRadius; -G_EXTERN int32_t g_morterBlastRadius; -G_EXTERN int32_t g_bouncemineBlastRadius; -G_EXTERN int32_t g_seenineBlastRadius; -G_EXTERN char CheatKeys[2]; -G_EXTERN char setupfilename[BMAX_PATH]; +extern const char *s_buildDate; +extern int32_t g_spriteGravity; +extern int16_t g_spriteDeleteQueueSize; +extern char EpisodeNames[MAXVOLUMES][33]; +extern char SkillNames[MAXSKILLS][33]; +extern char GametypeNames[MAXGAMETYPES][33]; +extern int32_t GametypeFlags[MAXGAMETYPES]; +extern char g_numGametypes; +extern char g_numVolumes; +extern int32_t g_timerTicsPerSecond; +extern int32_t g_actorRespawnTime; +extern int32_t g_itemRespawnTime; +extern int32_t g_scriptSize; +extern int16_t BlimpSpawnSprites[15]; +extern int32_t g_playerFriction; +extern int32_t g_numFreezeBounces; +extern int32_t g_lastSaveSlot; +extern int32_t g_rpgBlastRadius; +extern int32_t g_pipebombBlastRadius; +extern int32_t g_tripbombBlastRadius; +extern int32_t g_shrinkerBlastRadius; +extern int32_t g_morterBlastRadius; +extern int32_t g_bouncemineBlastRadius; +extern int32_t g_seenineBlastRadius; +extern char CheatKeys[2]; +extern char setupfilename[BMAX_PATH]; #endif #ifdef __cplusplus diff --git a/polymer/eduke32/source/lunatic/defs.ilua b/polymer/eduke32/source/lunatic/defs.ilua index d19907927..2daaa0af4 100644 --- a/polymer/eduke32/source/lunatic/defs.ilua +++ b/polymer/eduke32/source/lunatic/defs.ilua @@ -640,7 +640,7 @@ int32_x_MAXSESSIONVARS g_elSessionVar; actor_t actor[MAXSPRITES]; camera_t g_camera; user_defs ud; -playerdata_t g_player[MAXPLAYERS]; +playerdata_t *const g_player; DukePlayer_t *g_player_ps[MAXPLAYERS]; weapondata_x_MAX_WEAPONS g_playerWeapon[MAXPLAYERS]; weapondata_t g_weaponOverridden[MAX_WEAPONS]; diff --git a/polymer/eduke32/source/player.h b/polymer/eduke32/source/player.h index 7629ae485..fe151f409 100644 --- a/polymer/eduke32/source/player.h +++ b/polymer/eduke32/source/player.h @@ -328,7 +328,7 @@ typedef struct { extern input_t inputfifo[MOVEFIFOSIZ][MAXPLAYERS]; extern playerspawn_t g_playerSpawnPoints[MAXPLAYERS]; -extern playerdata_t g_player[MAXPLAYERS]; +extern playerdata_t *const g_player; extern int16_t WeaponPickupSprites[MAX_WEAPONS]; extern hudweapon_t hudweap; extern int32_t g_levelTextTime;