qengine icon indicating copy to clipboard operation
qengine copied to clipboard
verified publisher icon klaussilveira

Fix the null reference vulnerability.

Open QiuYitai opened this issue 8 months ago • 0 comments

Hello, Our team has recently been conducting research on a null-pointer-dereference (NPD) vulnerability detection tool and used it to scan qengine(the version on the master branch). After a manual review, we have identified some potentially vulnerable code snippets that may lead to null-pointer-dereference bugs. The NULL Dereference vulnerability happens in void R_StepActiveU(), src/client/renderer/sw_edge.c How the NULL Pointer Dereference happens:

  1. When pwedge == NULL
  2. NULL dereference of variable pwedge happens at pedge->next = pwedge->next;
void R_StepActiveU(edge_t *pedge)
{
    edge_t *pnext_edge, *pwedge;
    while (1) {
        pedge->u += pedge->u_step;
        ......
        pwedge = pedge->prev->prev;
=>      while (pwedge && (pwedge->u > pedge->u)) {
            pwedge = pwedge->prev;
        //when pwedge == NULL -> break
        }
=>      pedge->next = pwedge->next;
        ......
    }        
 }

QiuYitai avatar Apr 18 '25 06:04 QiuYitai