fix an Heap Overflow when using World Weapons

BZFlag-Dev · Mar 28, 2024 · 523084f · 523084f
1 parent 44daa8f
commit 523084f
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 10 deletions.
diff --git a/include/global.h b/include/global.h
@@ -34,6 +34,11 @@ const int       TokenLen = 22;      // opaque string (now int(10)) and terminati
 const int       VersionLen = 60;    // including terminating NUL
 const int       MessageLen = 128;   // including terminating NUL
 
+// world->maxPlayers do not work as bzfs uses more player slot than
+// real players. Any tcp connection is assigned a slot.
+// So I put now 216. We should fix it though.
+const int       maxRemotePlayers = 216;
+
 // types of things we can be
 enum PlayerType
 {

diff --git a/src/bzflag/WorldBuilder.cxx b/src/bzflag/WorldBuilder.cxx
@@ -247,14 +247,9 @@ void WorldBuilder::preGetWorld()
     // prepare players array
     if (world->players)
         delete[] world->players;
-    // FIXME
-    // world->maxPlayers do not work as bzfs uses more player slot than
-    // real players. Any tcp connection is assigned a slot.
-    // So I put now 216. We should fix it though.
-    const int maxPlayers = 216;
-    world->players = new RemotePlayer*[maxPlayers];
+    world->players = new RemotePlayer*[maxRemotePlayers];
     int i;
-    for (i = 0; i < maxPlayers; i++)
+    for (i = 0; i < maxRemotePlayers; i++)
         world->players[i] = NULL;
 
     // prepare flags array

diff --git a/src/bzflag/playing.cxx b/src/bzflag/playing.cxx
@@ -2902,11 +2902,13 @@ static void     handleServerMessage(bool human, uint16_t code,
         msg = firingInfo.unpack(msg);
 
         const int shooterid = firingInfo.shot.player;
-        RemotePlayer* shooter = remotePlayers[shooterid];
+        RemotePlayer* shooter = shooterid < maxRemotePlayers
+                                ? remotePlayers[shooterid]
+                                : NULL;
 
         if (shooterid != ServerPlayer)
         {
-            if (shooter && remotePlayers[shooterid]->getId() == shooterid)
+            if (shooter && shooter->getId() == shooterid)
             {
                 shooter->addShot(firingInfo);
 

diff --git a/src/geometry/MeshSceneNode.cxx b/src/geometry/MeshSceneNode.cxx
@@ -177,6 +177,9 @@ MeshSceneNode::~MeshSceneNode()
     }
     delete[] lods;
 
+    delete [] lodLengths;
+    delete [] radarLengths;
+
     OpenGLGState::unregisterContextInitializer(freeContext, initContext, this);
 
     return;

diff --git a/src/scene/ZSceneDatabase.cxx b/src/scene/ZSceneDatabase.cxx
@@ -215,7 +215,7 @@ void ZSceneDatabase::makeCuller()
     logDebugMessage(2,"SceneNode Octree processed in %.3f seconds.\n", elapsed);
 
     if (culledList != staticList)
-        delete culledList;
+        delete [] culledList;
 
     // make scratch pad for the culler
     culledList = new SceneNode*[staticCount];