search

IS4Code / PawnPlus

A SA-MP plugin enhancing the capabilities of the Pawn programming language
MIT License
102 stars 17 forks source link

Fix out of bounds/null pointer access #27

Closed AGraber closed 4 years ago

AGraber commented 4 years ago

One correct use of using amx_Register is to pass an array and the native count, instead of "terminating" the array with a null object.

https://github.com/IllidanS4/PawnPlus/blob/19c59e2ceb86021f5659724e3ee77395f0e746c5/plugins/src/amxinfo.cpp#L99

There's already a check for the count, but it's done too late since the code tries to access an OOB slot. There's also a case where the AMX runtime will pass null as the native list and 0 as count:

https://github.com/pawn-lang/compiler/blob/c565a5d1dff0ad4950162fc3dd98a0e00ae236fe/source/amx/amx.c#L3090

In that case, the count check is done too late as the code tries to access a null pointer.

IS4Code commented 4 years ago

I copied that loop from the AMX source, guess I shouldn't be surprised that it has brought this issue. Thanks for finding this!