OpenJK icon indicating copy to clipboard operation
OpenJK copied to clipboard

Published 20 hours ago verified publisher icon JACoders

Rend2 out-of-bounds write while outside the map in the negative direction.

Open Charlese2 opened this issue 1 year ago • 1 comments

Reporting a bug? Please make sure you've given the following information - thanks!

Operating system and version: Windows 11 Version 22H2 (OS build 22621.2428)

Is this for single player or multiplayer? Multiplayer

Description of the bug (and if possible, steps to reproduce the bug): The Remainder of a negative Dividend with a positive Divisor can be a negative number. For example this modulo -1 % 3 would result in -1. If centerZoneOffsetX (or Y) is a low enough number by noclipping outside the map while going in a negative direction, it will make the Dividend negative. https://github.com/JACoders/OpenJK/blob/4c422eaf45573d5b00047e84a9941e5c67e7c507/codemp/rd-rend2/tr_weather.cpp#L1144-L1149 If chunkIndex ends up as a negative number it writes outside of the zoneOffsets buffer. https://github.com/JACoders/OpenJK/blob/4c422eaf45573d5b00047e84a9941e5c67e7c507/codemp/rd-rend2/tr_weather.cpp#L1134

What did you expect to happen instead? I expected it to not crash from stack corruption from noclipping outside the map. I know it is a obscure use case.

Charlese2 avatar Nov 15 '23 18:11 Charlese2

I was able to replicate this on vjun1. Will fix and open up a PR.

paishoexpert avatar Nov 15 '23 20:11 paishoexpert