diff options
author | Fabio Alessandrelli <fabio.alessandrelli@gmail.com> | 2018-07-08 15:11:41 +0200 |
---|---|---|
committer | Hein-Pieter van Braam <hp@tmm.cx> | 2018-07-29 03:00:34 +0200 |
commit | feaf03421dda0213382b51aff07bd5a96b29487b (patch) | |
tree | 47657fec48af1a39772327834c34f2f13236cf48 /scene/3d/cpu_particles.cpp | |
parent | 2ef66def4615594b87340aed2b02adf2204c74c2 (diff) |
Fix marshalls size checks.
Yesterday, when playing around with my network code, I realized there is
a security issue in decode_variant, at least when decoding PoolArrays.
Basically, the size of the PoolArray is encoded in a uint32_t, when
decoding it, that value is cast to int when comparing if the packet is
actually that size causing numbers with MSB=1 to be interpreted as
negative thus always passing the check. That same value though, is used
as uint32_t again to resize the output vector. For this reason, sending
a malformed packet with declared type PoolByteArray and size of 2^31(+x)
causes the engine to try to allocate 2+GB of pool memory, causing the
engine to crash.
(cherry picked from commit 5262d1bbcc81a06db66ac45c3f75535f231268bc)
Diffstat (limited to 'scene/3d/cpu_particles.cpp')
0 files changed, 0 insertions, 0 deletions