search

ValveSoftware / Source-1-Games

Source 1 based games such as TF2 and Counter-Strike: Source
660 stars 76 forks source link

[L4D2] Crash on SurvivorBot::IsReachable #3432

Open dragokas opened 4 years ago

dragokas commented 4 years ago

Very similar error regarding https://github.com/ValveSoftware/Source-1-Games/issues/3388

The crash happens because in function SurvivorUseObject::ShouldGiveUp there is totally no check for null when you pass CBaseEntity to SurvivorBot::IsReachable function.

Causes an attempt to dereference the null pointer.

SIGSEGV /SEGV_MAPERR accessing 0x0

Thread 0 (crashed):
   0: server_srv.so!SurvivorBot::IsReachable(CBaseEntity*) const + 0xe
      eip: 0xee57211e  esp: 0xff99ed70  ebp: 0xff99ed98  ebx: 0x1016f480
      esi: 0x0e803a48  edi: 0x00000000  eax: 0x00000000  ecx: 0x00000000
      edx: 0x0e803a9c  efl: 0x00210282  

      ee572113  56                       push esi
      ee572114  53                       push ebx
      ee572115  83 ec 20                 sub esp, 0x20
      ee572118  8b 45 0c                 mov eax, [ebp+0xc]
      ee57211b  8b 5d 08                 mov ebx, [ebp+0x8]
  >   ee57211e  8b 10                    mov edx, [eax]
      ee572120  89 04 24                 mov [esp], eax
      ee572123  ff 92 88 02 00 00        call dword [edx+0x288]
      ee572129  c7 44 24 18 00 00 00 00  mov dword [esp+0x18], 0x0
      ee572131  89 44 24 04              mov [esp+0x4], eax
      ee572135  a1 a8 37 c2 ee           mov eax, [0xeec237a8]

      ff99ed70  80 f4 16 10 01 00 00 01  98 ed 99 ff 71 f0 b4 f7  ............q...
      ff99ed80  60 e3 c1 f7 00 00 80 3f  00 00 00 40 80 f4 16 10  `......?...@....
      ff99ed90  80 f4 16 10 48 3a 80 0e  18 ee 99 ff 32 b9 56 ee  ....H:......2.V.

      Found via instruction pointer in context

   1: server_srv.so!SurvivorUseObject::ShouldGiveUp(SurvivorBot*) const + 0x112
      eip: 0xee56b932  esp: 0xff99eda0  ebp: 0xff99ee18  ebx: 0x1016f480
      esi: 0x0e803a48  edi: 0x00000000  

      ff99eda0  80 f4 16 10 00 00 00 00  f0 ea 3b 12 84 e7 5d ee  ..........;...].
      ff99edb0  1c 26 17 10 f4 ed 99 ff  f8 ed 99 ff 3b bc 56 ee  .&..........;.V.
      ff99edc0  58 a2 d9 0e a0 3a 80 0e  18 ee 99 ff 56 55 92 43  X....:......VU.C
      ff99edd0  3e 20 93 43 80 f4 16 10  18 ee 99 ff 88 08 56 ee  > .C..........V.
      ff99ede0  80 f4 16 10 f4 8f f0 f7  68 00 00 00 e9 e7 ca 3f  ........h......?
      ff99edf0  80 f4 16 10 48 3a 80 0e  e0 dd 65 41 19 0f 56 ee  ....H:....eA..V.
      ff99ee00  48 3a 80 0e 58 a2 d9 0e  00 00 80 3f f4 ee 99 ff  H:..X......?....
      ff99ee10  80 f4 16 10 48 3a 80 0e  98 ee 99 ff cd 71 57 ee  ....H:.......qW.

      Found via call frame info

   2: server_srv.so!SurvivorBot::ScavengeNearbyItems(Action<SurvivorBot>*) + 0x28d
      eip: 0xee5771cd  esp: 0xff99ee20  ebp: 0xff99ee98  ebx: 0xff99eef4
      esi: 0x1016f480  edi: 0x0e803a48  

      ff99ee20  48 3a 80 0e 80 f4 16 10  98 ee 99 ff 00 00 00 00  H:..............
      ff99ee30  03 00 00 00 80 f4 16 10  00 00 00 00 48 a7 6b 45  ............H.kE
      ff99ee40  80 d2 f9 e9 0c 80 17 10  78 ee 99 ff 01 f4 b4 f7  ........x.......
      ff99ee50  00 80 3b 44 30 99 81 0f  00 00 00 3f d2 e2 14 00  ..;D0......?....
      ff99ee60  0c 80 17 10 c8 34 17 10  58 a2 d9 0e 8c 33 77 45  .....4..X....3wE
      ff99ee70  c8 06 8e 12 80 f4 16 10  98 ee 99 ff 71 f0 b4 f7  ............q...
      ff99ee80  60 e3 c1 f7 00 00 80 3f  00 00 00 40 80 f4 16 10  `......?...@....
      ff99ee90  48 4b ac 0c 0c 80 17 10  18 ef 99 ff e6 cf 55 ee  HK............U.

      Found via call frame info
dragokas commented 4 years ago

I've made a fix for that. If somebody suffering the same crash, visit: https://forums.alliedmods.net/showpost.php?p=2725898&postcount=22