Console command "speak *anysoundfile" will crash game

[hzqst]

For example you type speak "*doors/doormove1.wav" in Half-Life's console, the game will crash and quit as soon as you commit this command.

The reason why game crashed is that VOX_LoadSound passed an invalid channel (NULL) as an argument to S_LoadSound.

sfxcache_t *VOX_LoadSound(channel_t *ch, char *pszin)
{
...
sc = S_LoadSound(ch->sfx, NULL);
...
}

Meanwhile S_LoadSound threated sfx as a stream sound and it went the stream way:

sfxcache_t *S_LoadSound (sfx_t *s, channel_t *ch)
{
...
    if (s->name[0] == '*')
        return S_LoadStreamSound(s, ch);
...
}

An invalid channel (NULL) went S_LoadStreamSound

sfxcache_t *S_LoadStreamSound(sfx_t *s, channel_t *ch)
{
    int     i;
    sfxcache_t  *sc;
....

    i = ch - channels;
    sc = Cache_Check(&s->cache);
    if (sc && wavstreams[i].hFile != FILESYSTEM_INVALID_HANDLE)
        return sc;
}

You know, linei = ch - channels; would give a large and unpredictable value to int i, and there would be an index out of bounds error in wavstreams[i].hFile, This would cause a memory access error and crash the game.

This bug could be used in some evil server owners trying to crash players' game.

[barspinoff]

Where you have taken source code?

[hzqst]

Linux engine binary (engine.so) has all function's name and global vars' name inside, so that you can generate c style code with debug tools even without pdb or any debug symbol file. However GoldSRC's sound engine is very similar as Quake2's so you can even find these from https://github.com/idsoftware/quake2/blob/master/client/snd_dma.c

[barspinoff]

VOX isn't exists in quake 2 engine

[SamVanheer]

@mikela-valve Can confirm this still crashes clients. Should be easy to fix, pass in the channel that gets set up right before the function call?