Fix segfault when sending a very large net chat message.

This crash occured on the receiver machine, making it effectively a remote crash attack. Reported by: Riddler66 Based on a patch by: elexis Fixes #5726 Differential Revision: https://code.wildfiregames.com/D2629 This was SVN commit r23918.
2020-08-01 15:25:13 +00:00 · 2020-08-01 15:25:13 +00:00 · 21cdcf44bc
commit 21cdcf44bc
parent 5473393e30
2 changed files with 7 additions and 2 deletions
--- a/source/network/NMTCreator.h
+++ b/source/network/NMTCreator.h
@ -1,4 +1,4 @@
-/* Copyright (C) 2015 Wildfire Games.
+/* Copyright (C) 2020 Wildfire Games.
 * This file is part of 0 A.D.
 *
 * 0 A.D. is free software: you can redistribute it and/or modify
@ -221,6 +221,7 @@ u8 *_nm::Serialize(u8 *buffer) const \
 const u8 *_nm::Deserialize(const u8 *pos, const u8 *end) \
 { \
 	pos=_base::Deserialize(pos, end); \
+	if (pos == NULL) BAIL_DESERIALIZER;\
 	_nm *thiz=this; \
 	/*printf("In Deserialize" #_nm "\n"); */\
 	UNUSED2(thiz);	// preempt any "unused" warning
--- a/source/ps/CStr.cpp
+++ b/source/ps/CStr.cpp
@ -1,4 +1,4 @@
-/* Copyright (C) 2019 Wildfire Games.
+/* Copyright (C) 2020 Wildfire Games.
 * This file is part of 0 A.D.
 *
 * 0 A.D. is free software: you can redistribute it and/or modify
@ -467,6 +467,8 @@ u8* CStrW::Serialize(u8* buffer) const

 const u8* CStrW::Deserialize(const u8* buffer, const u8* bufferend)
 {
+	ENSURE(buffer);
+	ENSURE(bufferend);
 	const u16 *strend = (const u16 *)buffer;
 	while ((const u8 *)strend < bufferend && *strend) strend++;
 	if ((const u8 *)strend >= bufferend) return NULL;
@ -507,6 +509,8 @@ u8* CStr8::Serialize(u8* buffer) const

 const u8* CStr8::Deserialize(const u8* buffer, const u8* bufferend)
 {
+	ENSURE(buffer);
+	ENSURE(bufferend);
 	u32 len;
 	Deserialize_int_4(buffer, len);
 	if (buffer + len > bufferend)