Mirrored_Repos/DarkflameServer
1
0
Fork 0
mirror of https://github.com/DarkflameUniverse/DarkflameServer.git synced 2026-04-09 17:26:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: validate numChunks, numFlairs, vertSize before resize to prevent OOM from malformed raws

Browse Source 
Agent-Logs-Url: https://github.com/DarkflameUniverse/DarkflameServer/sessions/39d7ce79-bc9a-4960-8259-f11bcb5947f8

Co-authored-by: aronwk-aaron <26027722+aronwk-aaron@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-03-31 09:48:22 +00:00
committed by GitHub
parent d51ad3e769
commit f66716f027
1 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
dZoneManager/Raw.cpp
View File

@@ -9,6 +9,7 @@
namespace { namespace {
constexpr uint32_t kMaxResolution = 4096; constexpr uint32_t kMaxResolution = 4096;
constexpr size_t kMaxBlobBytes = 64ULL * 1024 * 1024; // 64 MiB constexpr size_t kMaxBlobBytes = 64ULL * 1024 * 1024; // 64 MiB
constexpr uint32_t kMaxChunks = 1024;
} // namespace } // namespace
namespace Raw { namespace Raw {
@@ -220,6 +221,11 @@ namespace Raw {
return false; return false;
} }
const size_t flairBytes = static_cast<size_t>(numFlairs) * sizeof(FlairAttributes);
if (flairBytes > kMaxBlobBytes) {
LOG("Chunk %u flair count %u exceeds maximum (byte size %zu > %zu)", chunk.id, numFlairs, flairBytes, kMaxBlobBytes);
return false;
}
chunk.flairs.resize(numFlairs); chunk.flairs.resize(numFlairs);
for (uint32_t i = 0; i < numFlairs; ++i) { for (uint32_t i = 0; i < numFlairs; ++i) {
if (!ReadFlairAttributes(stream, chunk.flairs[i])) { if (!ReadFlairAttributes(stream, chunk.flairs[i])) {
@@ -251,6 +257,11 @@ namespace Raw {
} }
// Mesh vert usage // Mesh vert usage
const size_t vertBytes = static_cast<size_t>(chunk.vertSize) * sizeof(uint16_t);
if (vertBytes > kMaxBlobBytes) {
LOG("Chunk %u vertSize %u exceeds maximum (byte size %zu > %zu)", chunk.id, chunk.vertSize, vertBytes, kMaxBlobBytes);
return false;
}
chunk.meshVertUsage.resize(chunk.vertSize); chunk.meshVertUsage.resize(chunk.vertSize);
for (uint32_t i = 0; i < chunk.vertSize; ++i) { for (uint32_t i = 0; i < chunk.vertSize; ++i) {
BinaryIO::BinaryRead(stream, chunk.meshVertUsage[i]); BinaryIO::BinaryRead(stream, chunk.meshVertUsage[i]);
@@ -319,6 +330,11 @@ namespace Raw {
BinaryIO::BinaryRead(stream, outRaw.numChunksWidth); BinaryIO::BinaryRead(stream, outRaw.numChunksWidth);
BinaryIO::BinaryRead(stream, outRaw.numChunksHeight); BinaryIO::BinaryRead(stream, outRaw.numChunksHeight);
if (outRaw.numChunks > kMaxChunks) {
LOG("Raw numChunks %u exceeds maximum %u", outRaw.numChunks, kMaxChunks);
return false;
}
// Read all chunks // Read all chunks
outRaw.chunks.resize(outRaw.numChunks); outRaw.chunks.resize(outRaw.numChunks);
for (uint32_t i = 0; i < outRaw.numChunks; ++i) { for (uint32_t i = 0; i < outRaw.numChunks; ++i) {