Skip to content

Fix use-after-free when calling v.drawString in Lua

Hanicef requested to merge Hanicef/SRB2:fix-use-after-free-drawstring into next

Since the release of 2.2.11, it's gotten kinda rough to track down crash-related bugs due to all the simple ones being fixed. As such, I once again brought out the big guns with MemorySanitizer, and I found that the v.drawString Lua function has a small chance of segfaulting due to use-after-free. This is because the engine uses a shared memory buffer for all strings that are rendered on-screen, and this buffer is resized using Z_ReallocAlign. The problem here is that since there's no guarantee that there is enough memory for it to grow in-place, it might need to move the memory address where the buffer is stored. This causes all pointers used in strings to now be dangling, since they still point towards the old address.

The fix simply re-aligns the addresses by adding the string addresses to the offset of the old vs the new address, thus correctly pointing the addresses to the new memory address.

Merge request reports

Loading