ref: fix out of bound access when the entity is marked as player but has invalid number

It's possible when client.dll passes a self allocated entity and wants to draw it as player but doesn't initialize or set the entity number correctly.
2024-11-22 01:45:19 +01:00 · 2024-11-07 07:18:12 +03:00 · 2024-11-07 07:18:12 +03:00 · 8bebf698ef
commit 8bebf698ef
parent 6a2a2c33ee
2 changed files with 21 additions and 11 deletions
--- a/ref/gl/gl_studio.c
+++ b/ref/gl/gl_studio.c
@ -2653,8 +2653,11 @@ R_StudioSetupPlayerModel
 */
 static model_t *R_StudioSetupPlayerModel( int index )
 {
-	player_info_t	*info = gEngfuncs.pfnPlayerInfo( index );
-	player_model_t	*state;
+	player_info_t  *info = gEngfuncs.pfnPlayerInfo( index );
+	player_model_t *state;
+
+	if( index < 0 || index >= gp_cl->maxclients )
+		return NULL;

 	state = &g_studio.player_models[index];

@ -2670,7 +2673,8 @@ static model_t *R_StudioSetupPlayerModel( int index )

 			if( gEngfuncs.fsapi->FileExists( state->modelname, false ))
 				state->model = gEngfuncs.Mod_ForName( state->modelname, false, true );
-			else state->model = NULL;
+			else
+				state->model = NULL;

 			if( !state->model )
 				state->model = RI.currententity->model;
@ -2695,18 +2699,20 @@ check for texture flags
 */
 int R_GetEntityRenderMode( cl_entity_t *ent )
 {
-	int		i, opaque, trans;
-	mstudiotexture_t	*ptexture;
-	cl_entity_t	*oldent;
-	model_t		*model;
-	studiohdr_t	*phdr;
+	int              i, opaque, trans;
+	mstudiotexture_t *ptexture;
+	cl_entity_t      *oldent;
+	model_t          *model = NULL;
+	studiohdr_t      *phdr;

 	oldent = RI.currententity;
 	RI.currententity = ent;

 	if( ent->player ) // check it for real playermodel
 		model = R_StudioSetupPlayerModel( ent->curstate.number - 1 );
-	else model = ent->model;
+
+	if( !model )
+		model = ent->model;

 	RI.currententity = oldent;

--- a/ref/soft/r_studio.c
+++ b/ref/soft/r_studio.c
@ -2353,6 +2353,9 @@ static model_t *R_StudioSetupPlayerModel( int index )
 	player_info_t  *info = gEngfuncs.pfnPlayerInfo( index );
 	player_model_t *state;

+	if( index < 0 || index >= gp_cl->maxclients )
+		return NULL;
+
 	state = &g_studio.player_models[index];

 	// g-cont: force for "dev-mode", non-local games and menu preview
@ -2396,7 +2399,7 @@ int R_GetEntityRenderMode( cl_entity_t *ent )
 	int              i, opaque, trans;
 	mstudiotexture_t *ptexture;
 	cl_entity_t      *oldent;
-	model_t          *model;
+	model_t          *model = NULL;
 	studiohdr_t      *phdr;

 	oldent = RI.currententity;
@ -2404,7 +2407,8 @@ int R_GetEntityRenderMode( cl_entity_t *ent )

 	if( ent->player ) // check it for real playermodel
 		model = R_StudioSetupPlayerModel( ent->curstate.number - 1 );
-	else
+
+	if( !model )
 		model = ent->model;

 	RI.currententity = oldent;