Guild icon
Teeworlds
discord.gg/teeworlds / development
For discussions around the development of the official Teeworlds
Between 2020-06-07 00:00:00Z and 2020-06-08 00:00:00Z
Avatar
GitHub BOT 2020-06-07 09:12:39Z
Author icon
mmmds
[teeworlds/teeworlds] Issue opened: #2642 Write before a buffer
Revision: 92d91f8ff48d6759add6d639b13f6f98f13553c7 In snapshot.cpp, line 609, data is assigned to aItemSizes indexed NumItems-1. If NumItems is equal zero, data is written before the buffer (index is -1). ``` File: src/engine/shared/snapshot.cpp 587: int CSnapshotBuilder::Finish(void *pSnapdata) 588: { [...] 594: pSnap->m_NumItems = m_NumItems; 595: 596: const int NumItems = m_NumItems; [...] 605: for(int i = 0; i < NumItems-1; i++) 606: { 607: aItemSizes[...
09:15
Author icon
mmmds
[teeworlds/teeworlds] Issue opened: #2643 Read before a buffer
Revision: 92d91f8ff48d6759add6d639b13f6f98f13553c7 In snapshot.cpp, line 317, server controlled integer pDelta->m_NumDeletedItems is added to pData pointer. There's a check (line 318) verifying that m_NumDeletedItems doesn't cause reaching outside the buffer. However, as m_NumDeletedItems is a signed integer, the server can send negative value and cause pData to point before the buffer. In line 352, the client dereferences the pointer. ``` File: src/engine/shared/snapshot....
09:18
Author icon
mmmds
[teeworlds/teeworlds] Issue opened: #2644 Char buffer used after scope
Revision: 92d91f8ff48d6759add6d639b13f6f98f13553c7 When the client downloads a map from the server, it displays information about it. This information is held in char aBuf[128] defined inside a block. Its address is assigned to pTitle and it's used later (outside the block). ``` File: src/game/client/components/menus.cpp 1554: int CMenus::Render() 1555: { [...] 1709: else if(m_Popup == POPUP_CONNECTING) 1710: { 1711: pTitle = Localize("Connecting to"); 1712: ...
09:20
Author icon
mmmds
[teeworlds/teeworlds] Issue opened: #2645 Client use-after-free triggered by ReadyToEnter message
Revision: 92d91f8ff48d6759add6d639b13f6f98f13553c7 In gameclient.cpp, line 1312, snapshot data is assigned to m_Snap.m_pGameData. Then, this value is access in line 504. ``` File: src/game/client/gameclient.cpp 1131: void CGameClient::OnNewSnapshot() 1132: { 1133: // clear out the invalid pointers 1134: mem_zero(&m_Snap, sizeof(m_Snap)); 1135: 1136: // secure snapshot 1137: { 1138: int Num = Client()->SnapNumItems(IClient::SNAP_CURRENT); 1139: for(int Index ...
Avatar
GitHub BOT 2020-06-07 10:28:04Z
Author icon
Robyt3
[teeworlds/teeworlds] Pull request opened: #2646 Fix usage of char buffer outside of scope in menus
  • Increase scope of aBuf. Closes #2644. Also reuse it later.
  • Minor refactoring.
10:29
Author icon
heinrich5991
[teeworlds/teeworlds] Pull request opened: #2647 Fix the issues reported by mmmds
10:30
Author icon
Robyt3
[teeworlds/teeworlds] Pull request closed: #2646 Fix usage of char buffer outside of scope in menus
Avatar
Learath2 2020-06-07 10:37:06Z
Wow that was quick, I was going to do them 😄
10:37
Knew I should have went for the last one
Avatar
heinrich5991 2020-06-07 10:37:33Z
apparently we had at least three people working on it
10:38
the last one was the trickiest one
10:38
the client barely keeps any state about the connection
Avatar
Learath2 2020-06-07 10:39:33Z
I don't like your fix for 2642
10:39
It's an extra branch per item for no reason
10:41
If no items in a snap is sane, just return the size of a snapshot + the datasize, else return -1 and let the client disconnect
10:42
Well I guess the client doesn't disconnect when delta unpacking fails, so might aswell just return quickly
Avatar
heinrich5991 2020-06-07 10:45:10Z
the "no reason" reason I had when writing the code was to make it very obvious that all indices are in-bounds
10:45
I had it as an if statement after the for loop first
10:45
but I didn't like that
Avatar
Learath2 2020-06-07 10:45:53Z
You can return at the very beginning after setting the snaps datasize and itemcount
10:46
Not like the first loop will ever execute
Avatar
heinrich5991 2020-06-07 10:47:51Z
then we'd have two separate points where we do the same calculation
10:48
one in a very rare edge case that is unlikely to get noticed if it is wrong
Avatar
Learath2 2020-06-07 10:48:31Z
fine, keep the branch
10:53
FWIW it's harder to read like this (edited)
Avatar
heinrich5991 2020-06-07 11:01:46Z
as for your performance concerns, afaict, this is not an extra branch in the compiled code
11:01
it looks like the compiler even vectorized the loop
11:02
I found it easier to verify that it does no OOB accesses if I write the loop this way
Avatar
Learath2 2020-06-07 11:05:24Z
good to hear
Avatar
GitHub BOT 2020-06-07 12:30:18Z
Author icon
ChillerDragon
[teeworlds/teeworlds] Pull request opened: #2648 Add demo sorting by name and date (#1739)
Ported from ddnet client. Demo sorting implemented by @east https://github.com/ddnet/ddnet/pull/308 Based on work by @def- https://github.com/ddnet/ddnet/commit/08ac551e0e6491d0795c90e0cbc46a1af0be1567 Thanks to @heinrich5991 for helping with the CDemoComparator !image Search by name or by date ascending or descending.
😄 1
12:32
Author icon
mmmds
[teeworlds/teeworlds] Issue opened: #2649 Access outside buffer
Revision: 92d91f8ff48d6759add6d639b13f6f98f13553c7 In CSnapshotDelta::UnpackDelta, Type and m_SnapshotCurrent indexes are values coming from the server. The server can send specially crafted data that will reading and writing outside buffers. ``` File: src/engine/shared/snapshot.cpp 302: int CSnapshotDelta::UnpackDelta(const CSnapshot *pFrom, CSnapshot *pTo, const void *pSrcData, int DataSize) 303: { 304: CSnapshotBuilder Builder; 305: const CData *pDelta = (const CData *)p...
Exported 31 message(s)