Passing a negative number to the color parameter of getColormap will crash the game
Note: It's possible that this crash will not occur on Windows. I tested on Linux and it crashed, but someone else running Windows did not get the crash. My binary was built from the current latest commit on the master
branch, 58fa44e8dc0444eecbe701f31872fad9fa563a6a
.
This isn't the v.getColormap(-1)
thing. In this case, it's the second (color) parameter that has a negative number passed to it. This causes a SIGSEGV, when it should really just cause a Lua error. Here's the stack trace from gdb:
#0 0x000055fb607a8a4e in R_GetTranslationColormap (skinnum=-122, color=color@entry=4294967294, flags=flags@entry=1 '\001') at r_draw.c:592
#1 0x000055fb6081ba21 in libd_getColormap (L=0x55fb693a69ec) at lua_hudlib.c:915
#2 0x000055fb60823aa6 in luaD_precall (L=L@entry=0x55fb693a69ec, func=func@entry=0x55fb69224ebc, nresults=nresults@entry=0) at blua/ldo.c:332
#3 0x000055fb6083ccc8 in luaV_execute (L=L@entry=0x55fb693a69ec, nexeccalls=nexeccalls@entry=1) at blua/lvm.c:647
#4 0x000055fb60823f65 in luaD_call (L=0x55fb693a69ec, func=0x55fb69224e9c, nResults=<optimized out>) at blua/ldo.c:390
#5 0x000055fb608233ab in luaD_rawrunprotected (L=L@entry=0x55fb693a69ec, f=f@entry=0x55fb6081d8f0 <f_call>, ud=ud@entry=0x7fffde2691e0) at blua/ldo.c:129
#6 0x000055fb6082420c in luaD_pcall (L=L@entry=0x55fb693a69ec, func=func@entry=0x55fb6081d8f0 <f_call>, u=u@entry=0x7fffde2691e0, old_top=112, ef=<optimized out>) at blua/ldo.c:476
#7 0x000055fb60820fa7 in lua_pcall (L=L@entry=0x55fb693a69ec, nargs=nargs@entry=3, nresults=nresults@entry=0, errfunc=errfunc@entry=1) at blua/lapi.c:810
#8 0x000055fb607ecd7f in LUA_Call (L=0x55fb693a69ec, nargs=nargs@entry=3, nresults=nresults@entry=0, errorhandlerindex=errorhandlerindex@entry=1) at lua_script.c:140
#9 0x000055fb6081d3e3 in LUAh_GameHUD (stplayr=0x55fb61bf1380 <players>) at lua_hudlib.c:1291
#10 0x000055fb606c5efa in ST_overlayDrawer () at st_stuff.c:2735
#11 0x000055fb606c9754 in ST_Drawer () at st_stuff.c:2815
#12 0x000055fb60659ac5 in D_Display () at d_main.c:481
#13 0x000055fb6065a101 in D_Display () at d_main.c:271
#14 D_SRB2Loop () at d_main.c:745
#15 0x000055fb606268c8 in main (argc=<optimized out>, argv=<optimized out>) at sdl/i_main.c:258
To reproduce the crash, add this Lua script and load a map:
hud.add(function(v) v.getColormap(TC_DEFAULT, -2) end, 'game')
The crash occurs because the Lua function passes that to R_GetTranslationColormap
as a parameter which is then used as an array index, and no bounds checking is performed.
Edited by Sparkette