4798 – Array overflow in CalculateRanks()

Bug 4798 - Array overflow in CalculateRanks()

Status:	RESOLVED FIXED

Alias:	None

Product:	ioquake3
Classification:	Unclassified
Component:	Misc
Version:	GIT MASTER
Hardware:	All All

Importance:	P3 normal
Assignee:	Zachary J. Slater
QA Contact:	ioquake3 bugzilla mailing list

URL:

Depends on:
Blocks:

Reported:	2010-11-20 13:49 EST by Mads Lind
Modified:	2011-02-06 15:36:03 EST
CC List:	1 user (show)

See Also:

Description Mads Lind 2010-11-20 13:49:49 EST

Hello there. I'm looking through your code, and I've spotted this weird thing:

in g_local.h, level_locals_t defines:
int         numteamVotingClients[2];// set by CalculateRanks

It is used in g_main, CalculateRanks:
...
for ( i = 0; i < TEAM_NUM_TEAMS; i++ ) {
    level.numteamVotingClients[i] = 0;
}
...

team_t is defined like this:
typedef enum {
    TEAM_FREE,
    TEAM_RED,
    TEAM_BLUE,
    TEAM_SPECTATOR,

    TEAM_NUM_TEAMS
} team_t;

TEAM_NUM_TEAMS is 4, so the loop in CalculatRanks overflows.

Cheers,
Mads Lind

Comment 1 Thilo Schulz 2011-02-06 15:36:03 EST

fixed r1866

Top of page