New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integer overflow and null pointer dereference in CMap::Load() in engine/shared/map.cpp #2071
Comments
The code is located here: teeworlds/src/engine/shared/map.cpp Lines 58 to 73 in 6dc6fe3
I agree this is a security issue. Should we simply clamp |
You could limit |
Fix integer overflow when computing tilemap size. Fixes #2071
Hello Teeworlds dev team,
There is an integer overflow in CMap::Load() which can lead to a buffer overflow.
pTilemap->m_Width
andpTilemap->m_Height
can be arbitrary integers and there is no check for an integer overflow when multiplying these integers with each other and withsizeof(CTile)
.Also there is no check if mem_alloc returns NULL which can lead to a null pointer dereference.
Regards,
Mans van Someren
http://whatthebug.net/
The text was updated successfully, but these errors were encountered: