Closed edo9300 closed 2 years ago
When resolving a MSG_SORT_CARD or MSG_SORT_CHAIN message, https://github.com/edo9300/edopro/blob/7d41f54fe3f0226368182732c5faf21e47bd272a/gframe/client_field.h#L76 gets populated, and is then cleared when the client sends the selection. If the duel is terminated while the card list is still showing, that vector will never be cleared, and the next time a card selection that has more than 5 cards is performed and the scrollbar is scrolled, the client will take the wrong path in the scroll handling https://github.com/edo9300/edopro/blob/7d41f54fe3f0226368182732c5faf21e47bd272a/gframe/event_handler.cpp#L932 and will attempt to read the sort_list array, very likely performing an out of bound read, and if not crashing displaying a "glitched" card selection window
MSG_SORT_CARD
MSG_SORT_CHAIN
When resolving a
MSG_SORT_CARDorMSG_SORT_CHAINmessage, https://github.com/edo9300/edopro/blob/7d41f54fe3f0226368182732c5faf21e47bd272a/gframe/client_field.h#L76 gets populated, and is then cleared when the client sends the selection. If the duel is terminated while the card list is still showing, that vector will never be cleared, and the next time a card selection that has more than 5 cards is performed and the scrollbar is scrolled, the client will take the wrong path in the scroll handling https://github.com/edo9300/edopro/blob/7d41f54fe3f0226368182732c5faf21e47bd272a/gframe/event_handler.cpp#L932 and will attempt to read the sort_list array, very likely performing an out of bound read, and if not crashing displaying a "glitched" card selection window