matthew/The-Powder-Toy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix tpt.parts being unsafe

Browse Source 
`tpt.parts` does check whether the particle ID it gets is valid, but it doesn't check whether that particle ID is used. One could potentially modify the life property of dead particles to break the linked list of free particle IDs, thus potentially gaining the ability to read from or write to arbitrary addresses in memory.
This commit is contained in:
LBPHacker 2017-07-12 21:30:41 +02:00 committed by jacob1
parent 8e5b0c760e
commit 7dd538b82c
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/lua/LegacyLuaAPI.cpp
View File

@ -32,6 +32,8 @@ int luacon_partread(lua_State* l)
if (i < 0 || i >= NPART)
return luaL_error(l, "Out of range");
if (!luacon_sim->parts[i].type)
return luaL_error(l, "dead particle");
if (offset == -1)
{
if (!key.compare("id"))
@ -68,6 +70,8 @@ int luacon_partwrite(lua_State* l)
if (i < 0 || i >= NPART)
return luaL_error(l, "Out of range");
if (!luacon_sim->parts[i].type)
return luaL_error(l, "dead particle");
if (offset == -1)
return luaL_error(l, "Invalid property");
@ -95,6 +99,11 @@ int luacon_partsread(lua_State* l)
{
return luaL_error(l, "array index out of bounds");
}
if (!luacon_sim->parts[i].type)
{
return luaL_error(l, "dead particle");
}
lua_rawgeti(l, LUA_REGISTRYINDEX, tptPart);
cIndex = i;