From 91e5492d4c210f82f1ca6b43a73417fef5463368 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20M=C3=BCller?= <robert.mueller@uni-siegen.de>
Date: Sat, 15 Jan 2022 17:36:39 +0100
Subject: [PATCH] hotfix CVE-2021-43518
---
src/game/client/components/maplayers.cpp | 2 +-
src/game/editor/io.cpp | 5 +++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/game/client/components/maplayers.cpp b/src/game/client/components/maplayers.cpp
index 24d0950941..bbaaa8213d 100644
--- a/src/game/client/components/maplayers.cpp
+++ b/src/game/client/components/maplayers.cpp
@@ -175,7 +175,7 @@ void CMapLayers::LoadEnvPoints(const CLayers *pLayers, array<CEnvPoint>& lEnvPoi
p.m_Time = pEnvPoint_v1->m_Time;
p.m_Curvetype = pEnvPoint_v1->m_Curvetype;
- for(int c = 0; c < pItem->m_Channels; c++)
+ for(int c = 0; c < fminimum(pItem->m_Channels, 4); c++)
{
p.m_aValues[c] = pEnvPoint_v1->m_aValues[c];
p.m_aInTangentdx[c] = 0;
diff --git a/src/game/editor/io.cpp b/src/game/editor/io.cpp
index 160bb1c6dc..2bedb06e43 100644
--- a/src/game/editor/io.cpp
+++ b/src/game/editor/io.cpp
@@ -479,7 +479,8 @@ int CEditorMap::Load(class IStorage *pStorage, const char *pFileName, int Storag
for(int e = 0; e < Num; e++)
{
CMapItemEnvelope *pItem = (CMapItemEnvelope *)DataFile.GetItem(Start+e, 0, 0);
- CEnvelope *pEnv = new CEnvelope(pItem->m_Channels);
+ const int Channels = fminimum(pItem->m_Channels, 4);
+ CEnvelope *pEnv = new CEnvelope(Channels);
pEnv->m_lPoints.set_size(pItem->m_NumPoints);
for(int n = 0; n < pItem->m_NumPoints; n++)
{
@@ -496,7 +497,7 @@ int CEditorMap::Load(class IStorage *pStorage, const char *pFileName, int Storag
pEnv->m_lPoints[n].m_Time = pEnvPoint_v1->m_Time;
pEnv->m_lPoints[n].m_Curvetype = pEnvPoint_v1->m_Curvetype;
- for(int c = 0; c < pItem->m_Channels; c++)
+ for(int c = 0; c < Channels; c++)
{
pEnv->m_lPoints[n].m_aValues[c] = pEnvPoint_v1->m_aValues[c];
}