From f01bfdcdcb038c01778871793f7a5b70ac37b663 Mon Sep 17 00:00:00 2001 From: s1lent Date: Sun, 11 Aug 2019 17:35:27 +0700 Subject: [PATCH] net_chan: Cleanup Netchan_CopyFileFragments: Fixed a potential possible case to segfault --- rehlds/engine/net_chan.cpp | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/rehlds/engine/net_chan.cpp b/rehlds/engine/net_chan.cpp index cb6bfb6..957676a 100644 --- a/rehlds/engine/net_chan.cpp +++ b/rehlds/engine/net_chan.cpp @@ -1525,7 +1525,7 @@ qboolean Netchan_CopyFileFragments(netchan_t *chan) // TODO: add client name to message if (uncompressedSize > 1024 * 64) { Con_Printf("Received too large file (size=%u)\nFlushing input queue\n", uncompressedSize); - Netchan_FlushIncoming(chan, 1); + Netchan_FlushIncoming(chan, FRAG_FILE_STREAM); return FALSE; } #endif @@ -1533,28 +1533,28 @@ qboolean Netchan_CopyFileFragments(netchan_t *chan) if (Q_strlen(filename) <= 0) { Con_Printf("File fragment received with no filename\nFlushing input queue\n"); - Netchan_FlushIncoming(chan, 1); + Netchan_FlushIncoming(chan, FRAG_FILE_STREAM); return FALSE; } if (Q_strstr(filename, "..")) { Con_Printf("File fragment received with relative path, ignoring\n"); - Netchan_FlushIncoming(chan, 1); + Netchan_FlushIncoming(chan, FRAG_FILE_STREAM); return FALSE; } if (filename[0] != '!' && !IsSafeFileToDownload(filename)) { Con_Printf("File fragment received with bad path, ignoring\n"); - Netchan_FlushIncoming(chan, 1); + Netchan_FlushIncoming(chan, FRAG_FILE_STREAM); return FALSE; } // This prohibits to write files to FS on server if (g_pcls.state == ca_dedicated && filename[0] != '!') { Con_Printf("File fragment received with bad path, ignoring (2)\n"); - Netchan_FlushIncoming(chan, 1); + Netchan_FlushIncoming(chan, FRAG_FILE_STREAM); return FALSE; } @@ -1564,7 +1564,7 @@ qboolean Netchan_CopyFileFragments(netchan_t *chan) if (filename[0] != '!' && FS_FileExists(filename)) { Con_Printf("Can't download %s, already exists\n", filename); - Netchan_FlushIncoming(chan, 1); + Netchan_FlushIncoming(chan, FRAG_FILE_STREAM); return TRUE; } @@ -1581,7 +1581,7 @@ qboolean Netchan_CopyFileFragments(netchan_t *chan) if (!buffer) { Con_Printf("Buffer allocation failed on %i bytes\n", nsize + 1); - Netchan_FlushIncoming(chan, 1); + Netchan_FlushIncoming(chan, FRAG_FILE_STREAM); return FALSE; } @@ -1610,6 +1610,13 @@ qboolean Netchan_CopyFileFragments(netchan_t *chan) } + // FIXED: We have concat fragment buffer above, make sure that the fisrt fragment is null + // otherwise we will get memory access violation at next call Netchan_FlushIncoming +#ifdef REHLDS_FIXES + chan->incomingbufs[FRAG_FILE_STREAM] = nullptr; + chan->incomingready[FRAG_FILE_STREAM] = FALSE; +#endif + if (bCompressed) { unsigned char* uncompressedBuffer = (unsigned char*)Mem_Malloc(uncompressedSize); @@ -1660,7 +1667,7 @@ qboolean Netchan_CopyFileFragments(netchan_t *chan) if (!handle) { Con_Printf("File open failed %s\n", filename); - Netchan_FlushIncoming(chan, 1); + Netchan_FlushIncoming(chan, FRAG_FILE_STREAM); #ifdef REHLDS_FIXES Mem_Free(buffer); @@ -1675,8 +1682,13 @@ qboolean Netchan_CopyFileFragments(netchan_t *chan) Mem_Free(buffer); } SZ_Clear(&net_message); + +// Moved above +#ifndef REHLDS_FIXES chan->incomingbufs[FRAG_FILE_STREAM] = nullptr; chan->incomingready[FRAG_FILE_STREAM] = FALSE; +#endif + msg_readcount = 0; return TRUE; }