File: CVE-2021-43518.patch

package info (click to toggle)
teeworlds 0.7.5-3
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 16,068 kB
  • sloc: cpp: 58,010; ansic: 14,468; python: 3,763; asm: 946; objc: 107; makefile: 36; xml: 21; sh: 7
file content (34 lines) | stat: -rw-r--r-- 1,459 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
 
Backport 91e5492d4c210f82f1ca6b43a73417fef5463368 as the hotfix for CVE-2021-43518

--- teeworlds-0.7.5.orig/src/game/client/components/maplayers.cpp
+++ teeworlds-0.7.5/src/game/client/components/maplayers.cpp
@@ -254,7 +254,7 @@ void CMapLayers::LoadEnvPoints(const CLa
 				p.m_Time = pEnvPoint_v1->m_Time;
 				p.m_Curvetype = pEnvPoint_v1->m_Curvetype;
 
-				for(int c = 0; c < pItem->m_Channels; c++)
+				for(int c = 0; c < min(pItem->m_Channels, 4); c++)
 				{
 					p.m_aValues[c] = pEnvPoint_v1->m_aValues[c];
 					p.m_aInTangentdx[c] = 0;
--- teeworlds-0.7.5.orig/src/game/editor/io.cpp
+++ teeworlds-0.7.5/src/game/editor/io.cpp
@@ -478,7 +478,8 @@ int CEditorMap::Load(class IStorage *pSt
 			for(int e = 0; e < Num; e++)
 			{
 				CMapItemEnvelope *pItem = (CMapItemEnvelope *)DataFile.GetItem(Start+e, 0, 0);
-				CEnvelope *pEnv = new CEnvelope(pItem->m_Channels);
+				const int Channels = min(pItem->m_Channels, 4);
+				CEnvelope *pEnv = new CEnvelope(Channels);
 				pEnv->m_lPoints.set_size(pItem->m_NumPoints);
 				for(int n = 0; n < pItem->m_NumPoints; n++)
 				{
@@ -495,7 +496,7 @@ int CEditorMap::Load(class IStorage *pSt
 						pEnv->m_lPoints[n].m_Time = pEnvPoint_v1->m_Time;
 						pEnv->m_lPoints[n].m_Curvetype = pEnvPoint_v1->m_Curvetype;
 
-						for(int c = 0; c < pItem->m_Channels; c++)
+						for(int c = 0; c < Channels; c++)
 						{
 							pEnv->m_lPoints[n].m_aValues[c] = pEnvPoint_v1->m_aValues[c];
 						}