search

Razish / japp

JA++ server and client modification for Jedi Academy
GNU General Public License v2.0
44 stars 30 forks source link

Off by one error in "SelectRandomFurthestSpawnPoint" #441

Closed Charlese2 closed 2 years ago

Charlese2 commented 2 years ago

numSpots ends up being one value higher than the contents of the list_spot array. When Q_irand picks the highest value of numSpots it feeds an invalid pointer to VectorCopy. https://github.com/Razish/japp/blob/master/game/g_client.cpp#L647

======================================== JA++ Crash Log

Version: JA++, 32 bits, Jan 29 2022, 8110a91 (Windows) Side: Server-side Build Date/Time: Jan 29 2022 14:17:50 Operating system: Microsoft Unknown Edition (build 9200), 64-bit Crash type: Exception

      Exception Information

Process: D:\JediAcademy\openjkded.x86.exe Exception in module: OJKC4BA.tmp Exception Address: 0x7A0F1E99 (OJKC4BA.tmp+0x181E99) Exception Code: 0xC0000005 (Access Violation) Attempted to read data at: 0x00000062

          Register Dump

General Purpose & Control Registers: EAX: 0x00EF156C, EBX: 0x00000001, ECX: 0x00000062, EDX: 0x00000062 EDI: 0x00EF2CA8, ESI: 0x7B2E1D80, ESP: 0x00EF0D08, EBP: 0x00EF0D08 EIP: 0x7A0F1E99

Segment Registers: CS: 0x00000023, DS: 0x0000002B, ES: 0x0000002B FS: 0x00000053, GS: 0x0000002B, SS: 0x0000002B

           Module List

0x00330000 - openjkded.x86 - D:\JediAcademy\openjkded.x86.exe 0x77220000 - ntdll - C:\WINDOWS\SYSTEM32\ntdll.dll 0x762B0000 - KERNEL32 - C:\WINDOWS\System32\KERNEL32.DLL 0x76A20000 - KERNELBASE - C:\WINDOWS\System32\KERNELBASE.dll 0x75710000 - SHELL32 - C:\WINDOWS\System32\SHELL32.dll 0x760C0000 - msvcp_win - C:\WINDOWS\System32\msvcp_win.dll 0x70EE0000 - WSOCK32 - C:\WINDOWS\SYSTEM32\WSOCK32.dll 0x71930000 - WINMM - C:\WINDOWS\SYSTEM32\WINMM.dll 0x753C0000 - ucrtbase - C:\WINDOWS\System32\ucrtbase.dll 0x76840000 - msvcrt - C:\WINDOWS\System32\msvcrt.dll 0x76240000 - WS2_32 - C:\WINDOWS\System32\WS2_32.dll 0x750A0000 - RPCRT4 - C:\WINDOWS\System32\RPCRT4.dll 0x75D20000 - USER32 - C:\WINDOWS\System32\USER32.dll 0x760A0000 - win32u - C:\WINDOWS\System32\win32u.dll 0x76DA0000 - GDI32 - C:\WINDOWS\System32\GDI32.dll 0x752B0000 - gdi32full - C:\WINDOWS\System32\gdi32full.dll 0x769A0000 - ADVAPI32 - C:\WINDOWS\System32\ADVAPI32.dll 0x767C0000 - sechost - C:\WINDOWS\System32\sechost.dll 0x6F8E0000 - MSVCP140 - D:\JediAcademy\MSVCP140.dll 0x72E90000 - VCRUNTIME140 - D:\JediAcademy\VCRUNTIME140.dll 0x75390000 - IMM32 - C:\WINDOWS\System32\IMM32.DLL 0x71D80000 - CRYPTSP - C:\WINDOWS\SYSTEM32\CRYPTSP.dll 0x71D50000 - rsaenh - C:\WINDOWS\system32\rsaenh.dll 0x71D40000 - CRYPTBASE - C:\WINDOWS\SYSTEM32\CRYPTBASE.dll 0x763A0000 - bcryptPrimitives - C:\WINDOWS\System32\bcryptPrimitives.dll 0x71E90000 - windows.storage - C:\WINDOWS\SYSTEM32\windows.storage.dll 0x76520000 - combase - C:\WINDOWS\System32\combase.dll 0x71DA0000 - wintypes - C:\WINDOWS\SYSTEM32\wintypes.dll 0x76CD0000 - SHCORE - C:\WINDOWS\System32\SHCORE.dll 0x76050000 - shlwapi - C:\WINDOWS\System32\shlwapi.dll 0x70FE0000 - SspiCli - C:\WINDOWS\SYSTEM32\SspiCli.dll 0x6FFF0000 - napinsp - C:\WINDOWS\system32\napinsp.dll 0x6EFC0000 - pnrpnsp - C:\WINDOWS\system32\pnrpnsp.dll 0x70E90000 - mswsock - C:\WINDOWS\System32\mswsock.dll 0x70580000 - DNSAPI - C:\WINDOWS\SYSTEM32\DNSAPI.dll 0x711A0000 - IPHLPAPI - C:\WINDOWS\SYSTEM32\IPHLPAPI.DLL 0x767B0000 - NSI - C:\WINDOWS\System32\NSI.dll 0x6FFE0000 - winrnr - C:\WINDOWS\System32\winrnr.dll 0x6B300000 - wshbth - C:\WINDOWS\system32\wshbth.dll 0x704D0000 - nlansp_c - C:\WINDOWS\system32\nlansp_c.dll 0x70520000 - fwpuclnt - C:\WINDOWS\System32\fwpuclnt.dll 0x70510000 - rasadhlp - C:\Windows\System32\rasadhlp.dll 0x79F70000 - OJKC4BA - C:\Users\knigh\AppData\Local\Temp\OJKC4BA.tmp 0x745E0000 - dbghelp - C:\WINDOWS\SYSTEM32\dbghelp.dll 0x620A0000 - ucrtbased - C:\WINDOWS\SYSTEM32\ucrtbased.dll 0x65C30000 - MSVCP140D - C:\WINDOWS\SYSTEM32\MSVCP140D.dll 0x719B0000 - VCRUNTIME140D - C:\WINDOWS\SYSTEM32\VCRUNTIME140D.dll

      Disassembly/Source code

Crash location located at 0x7A0F1E99: OJKC4BA.tmp::VectorCopy(+0x9) [Func at 0x7A0F1E90] Source code: D:\japp\qcommon\q_math.cpp:1318(+0x6)

^^^^^^^^^^ 0x7A0F1E8A - int3
0x7A0F1E8B - int3
0x7A0F1E8C - int3
0x7A0F1E8D - int3
0x7A0F1E8E - int3
0x7A0F1E8F - int3

--- D:\japp\qcommon\q_math.cpp:1317 ---

0x7A0F1E90 - push ebp
0x7A0F1E91 - mov ebp, esp

--- D:\japp\qcommon\q_math.cpp:1318 ---

0x7A0F1E93 - mov eax, [ebp+0xc]
0x7A0F1E96 - mov ecx, [ebp+0x8]

============================================= 0x7A0F1E99 - mov edx, [ecx] <-- Exception

0x7A0F1E9B - mov [eax], edx

--- D:\japp\qcommon\q_math.cpp:1319 ---

0x7A0F1E9D - mov eax, [ebp+0xc]
0x7A0F1EA0 - mov ecx, [ebp+0x8]
0x7A0F1EA3 - mov edx, [ecx+0x4]
0x7A0F1EA6 - mov [eax+0x4], edx

--- D:\japp\qcommon\q_math.cpp:1320 ---

0x7A0F1EA9 - mov eax, [ebp+0xc]
0x7A0F1EAC - mov ecx, [ebp+0x8]
0x7A0F1EAF - mov edx, [ecx+0x8]
0x7A0F1EB2 - mov [eax+0x8], edx

--- D:\japp\qcommon\q_math.cpp:1321 ---

0x7A0F1EB5 - pop ebp
vvvvvvvvvv

            Backtrace

OJKC4BA.tmp::VectorCopy(+0x9) [0x7A0F1E99] - (D:\japp\qcommon\q_math.cpp:1318) OJKC4BA.tmp::SelectRandomFurthestSpawnPoint(+0x54E) [0x79FF322E] - (D:\japp\game\g_client.cpp:649) OJKC4BA.tmp::SelectSpawnPoint(+0x18) [0x79FF1728] - (D:\japp\game\g_client.cpp:728) OJKC4BA.tmp::ClientSpawn(+0xA43) [0x79FEB143] - (D:\japp\game\g_client.cpp:3007) OJKC4BA.tmp::respawn(+0x27F) [0x79FF16CF] - (D:\japp\game\g_client.cpp:1025) OJKC4BA.tmp::ClientThink_real(+0x4BF8) [0x79FDD7C8] - (D:\japp\game\g_active.cpp:3124) OJKC4BA.tmp::ClientThink(+0x94) [0x79FD4364] - (D:\japp\game\g_active.cpp:3240) openjkded.x86.exe::openjk_minizip_malloc(+0x1636A) [0x0035CD1A] openjkded.x86.exe::openjk_minizip_malloc(+0xF5CA) [0x00355F7A] openjkded.x86.exe::openjk_minizip_malloc(+0x105AA) [0x00356F5A] openjkded.x86.exe::openjk_minizip_malloc(+0x10156) [0x00356B06] openjkded.x86.exe::openjk_minizip_malloc(+0x14002) [0x0035A9B2] openjkded.x86.exe [0x0033B06F] openjkded.x86.exe [0x00340D2C] openjkded.x86.exe [0x003417EE] openjkded.x86.exe [0x0033A295] openjkded.x86.exe::openjk_minizip_malloc(+0x31192) [0x00377B42] openjkded.x86.exe::openjk_minizip_malloc(+0x5B20B) [0x003A1BBB] KERNEL32.DLL::BaseThreadInitThunk(+0x19) [0x762C6739] ntdll.dll::RtlGetFullPathName_UEx(+0x4BF) [0x77288AFF] ntdll.dll::RtlGetFullPathName_UEx(+0x48D) [0x77288ACD]

        Extra Information
      Server info / players

Map: mp/ffa1

Players: 1/32:

|ID|Name |Ping|IP | +--+------------------------------------+----+----------------------+ |0 |^4Charles^1E2 |3 |192.168.1.6:29071 | +--+------------------------------------+----+----------------------+

         End of crash log

========================================

Charlese2 commented 2 years ago

It used to divide numSpots by 2 as it would sort the list_spot array by distance. That would allow it to get the furthest half of spawns. That is also why it didn't crash until commit 43651a02a966361431ae64acbc366e3a38a137ae. image Before https://github.com/Razish/japp/blob/42d7cf5113ef43cc3bef70b449b8381ea23c56d2/game/g_client.cpp#L715 After https://github.com/Razish/japp/blob/43651a02a966361431ae64acbc366e3a38a137ae/game/g_client.cpp#L647

ensiform commented 2 years ago

Is Q_irand inclusive?

Charlese2 commented 2 years ago

It is.