[HL25] Crash with too long string in autocomplete prompts in the client console

[Splatt581]

The game client crashes if the autocomplete prompts in the console receive a string that is too long.

How to reproduce:

1. Type or manually paste a long string such as aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa into the client console and execute it.
2. Now, while in the console, press the up button (UPARROW) or down button (DOWNARROW), the client will try to insert the last executed string into autocomplete and crash.

This bug does not work in the steam_legacy branch.

Bug №2: Also, if you try to paste and execute the above long string into the HLDS server console with VGUI, it will cause Assertion failed.

[0Ky]

I was unable to reproduce it on Linux, but works with Windows.

I believe the game crashes when retrieving a previously entered console command of 254 characters, but not with 253 characters, which might be due to a buffer overflow caused by an off-by-one error in the handling of input history.

Here's the crash analysis with stack trace:

*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** WARNING: Unable to verify timestamp for SDL2.dll
*** WARNING: Unable to verify checksum for chromehtml.dll

KEY_VALUES_STRING: 1

    Key  : AV.Fault
    Value: Write

    Key  : Analysis.CPU.mSec
    Value: 1858

    Key  : Analysis.DebugAnalysisManager
    Value: Create

    Key  : Analysis.Elapsed.mSec
    Value: 203786

    Key  : Analysis.Init.CPU.mSec
    Value: 1139

    Key  : Analysis.Init.Elapsed.mSec
    Value: 74926

    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 176

    Key  : Timeline.OS.Boot.DeltaSec
    Value: 261600

    Key  : Timeline.Process.Start.DeltaSec
    Value: 70

    Key  : WER.OS.Branch
    Value: ni_release

    Key  : WER.OS.Timestamp
    Value: 2022-05-06T12:50:00Z

    Key  : WER.OS.Version
    Value: 10.0.22621.1

    Key  : WER.Process.Version
    Value: 1.1.1.1

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 62a19952 (gameui!CreateInterface+0x00023962)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 20def1b3
Attempt to write to address 20def1b3

FAULTING_THREAD:  00005f98

PROCESS_NAME:  hl.exe

WRITE_ADDRESS:  20def1b3 

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE_STR:  c0000005

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  20def1b3

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
00def1a8 62a19aec     00000058 25731ce0 00000012 gameui!CreateInterface+0x23962
00def1bc 62a395e3     00000058 7973bbcb 25731ce0 gameui!CreateInterface+0x23afc
00def1e8 62a3ac2b     00000058 664f6560 664f2248 gameui!CreateInterface+0x435f3
00def228 664e380a     3c154818 00000000 664f6560 gameui!CreateInterface+0x44c3b
00def25c 664e4ad9     10a650c6 00000000 00def378 vgui2+0x1380a
00def298 50c8c47a     00000000 00def378 6b860000 vgui2+0x14ad9
00def2ac 50c8baee     000002de 00000085 00000780 hw!vgui::Frame::operator=+0x180a
00def2e0 50cad8af     00def378 9614a9db 403b4dd3 hw!vgui::Frame::operator=+0xe7e
00def2f4 50c34792     00def378 07a38664 0000014c hw!vgui::Frame::operator=+0x22c3f
00def330 50c3291e     363be7a2 00000000 50d7db98 hw!vgui::Dar<vgui::InputSignal *>::getCount+0x3c9d2
00def35c 50c811f9     363be7a2 00000001 00def378 hw!vgui::Dar<vgui::InputSignal *>::getCount+0x3ab5e
00def37c 50c8091b     50d28000 00def3d0 50c802f8 hw!F+0x299
00def388 50c802f8     00b30000 00b36348 09366980 hw!vgui::Dar<vgui::InputSignal *>::getCount+0x88b5b
00def3d0 00b3159c     00b30000 00b36348 09366980 hw!vgui::Dar<vgui::InputSignal *>::getCount+0x88538
00def8b4 00b32e48     00b30000 00000000 014429a9 hl+0x159c
00def900 751f7ba9     00e8f000 751f7b90 00def968 hl!CreateInterface+0x1458
00def910 770bbd2b     00e8f000 9aa0db23 00000000 KERNEL32!BaseThreadInitThunk+0x19
00def968 770bbcaf     ffffffff 770e92c6 00000000 ntdll_77050000!__RtlUserThreadStart+0x2b
00def978 00000000     00b32ecc 00e8f000 00000000 ntdll_77050000!_RtlUserThreadStart+0x1b

STACK_COMMAND:  ~0s ; .cxr ; kb

SYMBOL_NAME:  gameui+23962

MODULE_NAME: gameui

IMAGE_NAME:  gameui.dll

FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_gameui.dll!Unknown

OS_VERSION:  10.0.22621.1

BUILDLAB_STR:  ni_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {e2e6686e-1afe-11c1-8924-e10db4b5316a}

Followup:     MachineOwner
---------