The specific content length of the 'ents' script file (multiples of 32) may force the game to shut down

Open C-ColinTH opened this issue 3 weeks ago • 1 comments

It's a Memory Pool Out-of-Bounds Read issue. When the length of the allocated string is exactly a multiple of 32, this problem can occur.

This issue occurred during the loading process of the SFM map on Elite Guard that was updated a few days ago. Its "sfm.ents" file length is 7456, exactly a multiple of 32 (See void *G_Alloc( int size ) in "g_mem.c"), then in G_ParseExtraSpawnVars, It unexpectedly exceeded the bounds and read other string "holdable_bandages" from the memory pool. It triggered G_Error ("G_ParseExtraSpawnVars: EOF without closing brace");

Original content in ENTS:

...
{
"classname" "ai_partisan"
"origin" "829 -2897 -103"
"ainame" "ai_npc_partisan1"
"aiteam" "1"
"spawnflags" "1"
"skin" "partisan/civilian"
"head" "civilian"
"angle" "90"
}

Current content in variable level.extraEntsScript:

...
{
"classname" "ai_partisan"
"origin" "829 -2897 -103"
"ainame" "ai_npc_partisan1"
"aiteam" "1"
"spawnflags" "1"
"skin" "partisan/civilian"
"head" "civilian"
"angle" "90"
}

holdable_bandages

Dec 09 '25 11:12 C-ColinTH