Open Caball009 opened 1 year ago
raphael12333
commented
2 months ago Hi, why this is not merged?
Is it because the cod4x modified MSG_ReadBitsCompress and the check decompressMsg.cursize == decompressMsg.maxsize are enough to prevent control access?
Can't server still get crashed if not fixing Huff_offsetReceive? (https://github.com/ioquake/ioq3/commit/d2b1d124d4055c2fcbe5126863487c52fd58cca1)
@proxict @IceNinjaman
raphael12333
commented
2 months ago ah my bad, i thought this project was still active
proxict
commented
2 months ago Hi, it's not merged because it's not tested yet. There are currently other things being worked on in cod4x in the background.
raphael12333
commented
2 months ago Hi, it's not merged because it's not tested yet. There are currently other things being worked on in cod4x in the background.
Ah ok, some exploits don't seem easy to do i prefer to test securities before adding them too, but when i see it's too hard for me, i prefer to add anyway, rather than hoping someday i would manage to test, if it's not too late
proxict
commented
2 months ago If this bug was easily exploitable, it wouldn't have been publicly disclosed before fixing it.
If 'readsize' is equal to the size of the input buffer, there's potentially OOB access because the while loop increases the bit offset and only checks the nodes from the huffman tree and not whether the number of bits exceeds 'readsize'. This won't lead to problems if the size of input buffer is greater than 'readsize' but still a design flaw.