summaryrefslogtreecommitdiff
path: root/scene/3d/cpu_particles.cpp
diff options
context:
space:
mode:
authorFabio Alessandrelli <fabio.alessandrelli@gmail.com>2018-07-08 15:11:41 +0200
committerHein-Pieter van Braam <hp@tmm.cx>2018-07-29 03:00:34 +0200
commitfeaf03421dda0213382b51aff07bd5a96b29487b (patch)
tree47657fec48af1a39772327834c34f2f13236cf48 /scene/3d/cpu_particles.cpp
parent2ef66def4615594b87340aed2b02adf2204c74c2 (diff)
Fix marshalls size checks.
Yesterday, when playing around with my network code, I realized there is a security issue in decode_variant, at least when decoding PoolArrays. Basically, the size of the PoolArray is encoded in a uint32_t, when decoding it, that value is cast to int when comparing if the packet is actually that size causing numbers with MSB=1 to be interpreted as negative thus always passing the check. That same value though, is used as uint32_t again to resize the output vector. For this reason, sending a malformed packet with declared type PoolByteArray and size of 2^31(+x) causes the engine to try to allocate 2+GB of pool memory, causing the engine to crash. (cherry picked from commit 5262d1bbcc81a06db66ac45c3f75535f231268bc)
Diffstat (limited to 'scene/3d/cpu_particles.cpp')
0 files changed, 0 insertions, 0 deletions