Bug 2438 - Buffer overrun if # lightmaps > MAX_LIGHTMAPS
Status: RESOLVED FIXED
Alias: None
Product: ioquake3
Classification: Unclassified
Component: Video
Version: 1.33 SVN
Hardware: PC All
: P2 minor
Assignee: Zachary J. Slater
QA Contact: ioquake3 bugzilla mailing list
URL:
Depends on:
Blocks:
 
Reported: 2005-10-19 18:51 EDT by Ben Noordhuis
Modified: 2007-05-21 11:23:58 EDT
0 users

See Also:

Attachments
(Unified) diff -- catch # lightmaps > MAX_LIGHTMAPS (551 bytes, patch)
2005-10-20 09:59 EDT, Ben Noordhuis
(Unified) diff -- catch lightmapIndex >= tr.numLightmaps in RE_RegisterShaderFromImage (519 bytes, patch)
2005-10-20 10:08 EDT, Ben Noordhuis

Description Ben Noordhuis 2005-10-19 18:51:56 EDT 
A buffer overrun occurs if a map has more than MAX_LIGHTMAPS (256) lightmaps.
Apply diff to renderer/tr_bsp.c.

157a158,160
>       } else if ( tr.numLightmaps >= MAX_LIGHTMAPS ) {        // 20051020
misantropia
>         ri.Printf( PRINT_WARNING, "WARNING: number of lightmaps >
MAX_LIGHTMAPS\n" );
>         tr.numLightmaps = MAX_LIGHTMAPS;
Comment 1 Ben Noordhuis 2005-10-19 18:52:44 EDT 
Sorry, this is the correct diff:

<       }
---
>     } else if ( tr.numLightmaps >= MAX_LIGHTMAPS ) {        // 20051020
misantropia
>         ri.Printf( PRINT_WARNING, "WARNING: number of lightmaps >
MAX_LIGHTMAPS\n" );
>         tr.numLightmaps = MAX_LIGHTMAPS;
>     }
>
Comment 2 Zachary J. Slater 2005-10-19 22:34:53 EDT 
Please be more careful in the future when filing. Will be looked at and
hopefully applied when we get the chance.
Comment 3 Aaron Gyes 2005-10-19 23:02:27 EDT 
<troll> and use diff -u!
Comment 4 Ben Noordhuis 2005-10-20 09:59:54 EDT 
Created attachment 796 [details]
(Unified) diff -- catch # lightmaps > MAX_LIGHTMAPS

Warn if # lightmaps > MAX_LIGHTMAPS, avoid buffer overrun.
Comment 5 Ben Noordhuis 2005-10-20 10:08:08 EDT 
Created attachment 797 [details]
(Unified) diff -- catch lightmapIndex >= tr.numLightmaps in RE_RegisterShaderFromImage

Avoids a potential out-of-bounds error if RE_RegisterShaderFromImage
(tr_shader.c) is called with a lightmapIndex >= tr.numLightmaps by setting the
lightmapIndex to LIGHTMAP_WHITEIMAGE (full bright). As it is now, this function
is only called from tr_font.c with lightmapIndex == LIGHTMAP_2D but this patch
might come in handy for future use.
Comment 6 Tim Angus 2005-10-20 12:21:31 EDT 
Please make patches relative to the root directory.

Thanks.
Comment 7 Ryan C. Gordon 2007-05-21 11:23:58 EDT 
Setting a QA contact on all ioquake3 bugs, even resolved ones. Sorry if you get a flood of email from this, it should only happen once. Apologies for the incovenience.

--ryan.