From 8bebf698efd5ec5e77a805f3fddf43fa2f02b546 Mon Sep 17 00:00:00 2001 From: Alibek Omarov Date: Thu, 7 Nov 2024 07:18:12 +0300 Subject: [PATCH] ref: fix out of bound access when the entity is marked as player but has invalid number It's possible when client.dll passes a self allocated entity and wants to draw it as player but doesn't initialize or set the entity number correctly. --- ref/gl/gl_studio.c | 24 +++++++++++++++--------- ref/soft/r_studio.c | 8 ++++++-- 2 files changed, 21 insertions(+), 11 deletions(-) diff --git a/ref/gl/gl_studio.c b/ref/gl/gl_studio.c index ec978955..6e3f28be 100644 --- a/ref/gl/gl_studio.c +++ b/ref/gl/gl_studio.c @@ -2653,8 +2653,11 @@ R_StudioSetupPlayerModel */ static model_t *R_StudioSetupPlayerModel( int index ) { - player_info_t *info = gEngfuncs.pfnPlayerInfo( index ); - player_model_t *state; + player_info_t *info = gEngfuncs.pfnPlayerInfo( index ); + player_model_t *state; + + if( index < 0 || index >= gp_cl->maxclients ) + return NULL; state = &g_studio.player_models[index]; @@ -2670,7 +2673,8 @@ static model_t *R_StudioSetupPlayerModel( int index ) if( gEngfuncs.fsapi->FileExists( state->modelname, false )) state->model = gEngfuncs.Mod_ForName( state->modelname, false, true ); - else state->model = NULL; + else + state->model = NULL; if( !state->model ) state->model = RI.currententity->model; @@ -2695,18 +2699,20 @@ check for texture flags */ int R_GetEntityRenderMode( cl_entity_t *ent ) { - int i, opaque, trans; - mstudiotexture_t *ptexture; - cl_entity_t *oldent; - model_t *model; - studiohdr_t *phdr; + int i, opaque, trans; + mstudiotexture_t *ptexture; + cl_entity_t *oldent; + model_t *model = NULL; + studiohdr_t *phdr; oldent = RI.currententity; RI.currententity = ent; if( ent->player ) // check it for real playermodel model = R_StudioSetupPlayerModel( ent->curstate.number - 1 ); - else model = ent->model; + + if( !model ) + model = ent->model; RI.currententity = oldent; diff --git a/ref/soft/r_studio.c b/ref/soft/r_studio.c index d18ff33c..714b25bb 100644 --- a/ref/soft/r_studio.c +++ b/ref/soft/r_studio.c @@ -2353,6 +2353,9 @@ static model_t *R_StudioSetupPlayerModel( int index ) player_info_t *info = gEngfuncs.pfnPlayerInfo( index ); player_model_t *state; + if( index < 0 || index >= gp_cl->maxclients ) + return NULL; + state = &g_studio.player_models[index]; // g-cont: force for "dev-mode", non-local games and menu preview @@ -2396,7 +2399,7 @@ int R_GetEntityRenderMode( cl_entity_t *ent ) int i, opaque, trans; mstudiotexture_t *ptexture; cl_entity_t *oldent; - model_t *model; + model_t *model = NULL; studiohdr_t *phdr; oldent = RI.currententity; @@ -2404,7 +2407,8 @@ int R_GetEntityRenderMode( cl_entity_t *ent ) if( ent->player ) // check it for real playermodel model = R_StudioSetupPlayerModel( ent->curstate.number - 1 ); - else + + if( !model ) model = ent->model; RI.currententity = oldent;