senoutouya / recastnavigation

Automatically exported from code.google.com/p/recastnavigation
zlib License
0 stars 0 forks source link

buffer overflow in recast #216

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
There looks like a potential buffer overflow in rcBuildPolyMeshDetail(). There 
is a declararion:

rcIntArray stack(512);

and then this variable is eventually passed to getHeightData()
which conditionally applies the following:

memmove(&stack[0], &stack[RETRACT_SIZE*3], 
sizeof(int)*(stack.size()-RETRACT_SIZE*3));

where RETRACT_SIZE is defined as such:
static const int RETRACT_SIZE = 256;

Shouldn't the initial allocation of stack be large enough to hold RETRACT_SIZE 
* 3 * 2 integers?

Original issue reported on code.google.com by DahliaTr...@gmail.com on 4 Oct 2012 at 11:36

GoogleCodeExporter commented 9 years ago
This is fine, the move is done only when the stack size has grown larger than 
RETRACT_SIZE*3.

Original comment by memono...@gmail.com on 19 Sep 2013 at 6:23