bugfix(network): Fix out of bounds memory access for wrapped net commands

Mauller · Mauller · commit 3d36e1d0f1bc · 2025-12-05T20:32:09.000Z
diff --git a/Core/GameEngine/Include/GameNetwork/NetCommandWrapperList.h b/Core/GameEngine/Include/GameNetwork/NetCommandWrapperList.h
@@ -49,7 +49,7 @@ class NetCommandWrapperListNode : public MemoryPoolObject
 protected:
 	UnsignedShort m_commandID;
 	UnsignedByte *m_data;
-	UnsignedInt m_dataLength;
+	UnsignedInt m_totalDataLength;
 	Bool *m_chunksPresent;
 	UnsignedInt m_numChunks;
 	UnsignedInt m_numChunksPresent;
diff --git a/Core/GameEngine/Source/GameNetwork/NetCommandWrapperList.cpp b/Core/GameEngine/Source/GameNetwork/NetCommandWrapperList.cpp
@@ -45,8 +45,8 @@ NetCommandWrapperListNode::NetCommandWrapperListNode(NetWrapperCommandMsg *msg)
 		m_chunksPresent[i] = FALSE;
 	}
 
-	m_dataLength = msg->getTotalDataLength();
-	m_data = NEW UnsignedByte[m_dataLength];	// pool[]ify
+	m_totalDataLength = msg->getTotalDataLength();
+	m_data = NEW UnsignedByte[m_totalDataLength];	// pool[]ify
 
 	m_commandID = msg->getWrappedCommandID();
 }
@@ -75,31 +75,52 @@ UnsignedShort NetCommandWrapperListNode::getCommandID() {
 }
 
 UnsignedInt NetCommandWrapperListNode::getRawDataLength() {
-	return m_dataLength;
+	return m_totalDataLength;
 }
 
 void NetCommandWrapperListNode::copyChunkData(NetWrapperCommandMsg *msg) {
+
 	if (msg == NULL) {
 		DEBUG_CRASH(("Trying to copy data from a non-existent wrapper command message"));
 		return;
 	}
 
-	DEBUG_ASSERTCRASH(msg->getChunkNumber() < m_numChunks, ("MunkeeChunk %d of %d",
-		msg->getChunkNumber(), m_numChunks));
-	if (msg->getChunkNumber() >= m_numChunks)
+	UnsignedInt chunkNumber = msg->getChunkNumber();
+
+	if (chunkNumber >= m_numChunks) {
+		DEBUG_CRASH(("Data chunk number exceeds the number of chunks expected; chunk %d of %d", chunkNumber, m_numChunks));
+		return;
+	}
+
+	// we already received this chunk, no need to recopy it.
+	if (m_chunksPresent[chunkNumber] == TRUE) {
+		return;
+	}
+
+	UnsignedInt chunkDataOffset = msg->getDataOffset();
+	UnsignedInt chunkDataLength = msg->getDataLength();
+
+	// TheSuperHackers @bugfix Mauller 04/12/2025 Prevent out of bounds memory access
+	if (chunkDataOffset >= m_totalDataLength) {
+		DEBUG_CRASH(("Data chunk offset beyond data size"));
 		return;
+	}
 
-	DEBUG_LOG(("NetCommandWrapperListNode::copyChunkData() - copying chunk %d",
-		msg->getChunkNumber()));
+	if (chunkDataLength > MAX_PACKET_SIZE ) {
+		DEBUG_CRASH(("Data Chunk size greater than packet size"));
+		return;
+	}
 
-	if (m_chunksPresent[msg->getChunkNumber()] == TRUE) {
-		// we already received this chunk, no need to recopy it.
+	if (chunkDataOffset + chunkDataLength >= m_totalDataLength) {
+		DEBUG_CRASH(("Data chunk exceeds data array size"));
 		return;
 	}
 
-	m_chunksPresent[msg->getChunkNumber()] = TRUE;
-	UnsignedInt offset = msg->getDataOffset();
-	memcpy(m_data + offset, msg->getData(), msg->getDataLength());
+	DEBUG_LOG(("NetCommandWrapperListNode::copyChunkData() - copying chunk %d", chunkNumber));
+
+	memcpy(m_data + chunkDataOffset, msg->getData(), chunkDataLength);
+
+	m_chunksPresent[chunkNumber] = TRUE;
 	++m_numChunksPresent;
 }
 
