engine: client: validate dem_usercmd size before reading it into the buffer
This commit is contained in:
Alibek Omarov
parent
ac6dc2c2d3
commit
af332eb8ac
1 changed files with 27 additions and 19 deletions
|
|
@ -221,6 +221,25 @@ double CL_GetDemoFramerate( void )
|
||||||
return bound( MIN_FPS, demo.header.host_fps, MAX_FPS_HARD );
|
return bound( MIN_FPS, demo.header.host_fps, MAX_FPS_HARD );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
=================
|
||||||
|
CL_DemoAborted
|
||||||
|
=================
|
||||||
|
*/
|
||||||
|
static void CL_DemoAborted( void )
|
||||||
|
{
|
||||||
|
if( cls.demofile )
|
||||||
|
FS_Close( cls.demofile );
|
||||||
|
cls.demoplayback = false;
|
||||||
|
cls.changedemo = false;
|
||||||
|
cls.timedemo = false;
|
||||||
|
demo.framecount = 0;
|
||||||
|
cls.demofile = NULL;
|
||||||
|
cls.demonum = -1;
|
||||||
|
|
||||||
|
Cvar_DirectSet( &v_dark, "0" );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
====================
|
====================
|
||||||
CL_WriteDemoCmdHeader
|
CL_WriteDemoCmdHeader
|
||||||
|
|
@ -593,6 +612,14 @@ static void CL_ReadDemoUserCmd( qboolean discard )
|
||||||
FS_Read( cls.demofile, &outgoing_sequence, sizeof( int ));
|
FS_Read( cls.demofile, &outgoing_sequence, sizeof( int ));
|
||||||
FS_Read( cls.demofile, &cmdnumber, sizeof( int ));
|
FS_Read( cls.demofile, &cmdnumber, sizeof( int ));
|
||||||
FS_Read( cls.demofile, &bytes, sizeof( short ));
|
FS_Read( cls.demofile, &bytes, sizeof( short ));
|
||||||
|
|
||||||
|
if( bytes >= sizeof( data ))
|
||||||
|
{
|
||||||
|
Con_Printf( S_ERROR "%s: too large dem_usercmd (size %u seq %i)\n", __func__, bytes, outgoing_sequence );
|
||||||
|
CL_DemoAborted();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
FS_Read( cls.demofile, data, bytes );
|
FS_Read( cls.demofile, data, bytes );
|
||||||
|
|
||||||
if( !discard )
|
if( !discard )
|
||||||
|
|
@ -721,25 +748,6 @@ static void CL_DemoStartPlayback( int mode )
|
||||||
cl.last_command_ack = -1;
|
cl.last_command_ack = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
|
||||||
=================
|
|
||||||
CL_DemoAborted
|
|
||||||
=================
|
|
||||||
*/
|
|
||||||
static void CL_DemoAborted( void )
|
|
||||||
{
|
|
||||||
if( cls.demofile )
|
|
||||||
FS_Close( cls.demofile );
|
|
||||||
cls.demoplayback = false;
|
|
||||||
cls.changedemo = false;
|
|
||||||
cls.timedemo = false;
|
|
||||||
demo.framecount = 0;
|
|
||||||
cls.demofile = NULL;
|
|
||||||
cls.demonum = -1;
|
|
||||||
|
|
||||||
Cvar_DirectSet( &v_dark, "0" );
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
=================
|
=================
|
||||||
CL_DemoCompleted
|
CL_DemoCompleted
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue