Possible memory corruption with VariableDeltaSerializer #41
Description
I'm just dropping this here so that the community knows...
I found an issue when serializing too many variables using the variabledeltaserializer.
bool WriteVarToBitstream(const VarType &varData, RakNet::BitStream *bitStream, unsigned char *bArray, unsigned short writeOffset)
{
static bool checkHeap = false;
if (WriteVarToBitstream(varData,bitStream)==true)
{
BitSize_t numberOfBitsMod8 = writeOffset & 7;
if (numberOfBitsMod8 == 0)
---------> bArray[writeOffset >> 3] = 0x80; <-----------
else
---------> bArray[writeOffset >> 3] |= 0x80 >> (numberOfBitsMod8); // Set the bit to 1 <-----------
These lines will cause memory overflow if writeOffset exceeds 447.
This is due to the bitField this class uses:
struct ChangedVariablesList
{
uint32_t sendReceipt;
unsigned short bitWriteIndex;
unsigned char bitField[------------>56<-----------];
};
By increasing this value, we can extend the maximum number of variables that can be serialized. But this should be made dynamic.
More importantly, a hard crash should be put in place when this is detected and an assert explaining what's the problem. It would have saved me a few days of debugging!
Here is my guard (not a fix per say):
template <class VarType>
void SerializeVariable(SerializationContext *context, const VarType &variable)
{
context->variableHistory->variableListDeltaTracker.fCheckHeap = fCheckHeap;
if (context->newSystemSend)
{
if (context->variableHistory->variableListDeltaTracker.IsPastEndOfList()==false)
{
// previously sent data to another system
context->bitStream->Write(true);
context->bitStream->Write(variable);
context->anyVariablesWritten=true;
}
else
{
// never sent data to another system
context->variableHistory->variableListDeltaTracker.WriteVarToBitstream(variable, context->bitStream);
context->anyVariablesWritten=true;
}
}
else if (context->serializationMode==UNRELIABLE_WITH_ACK_RECEIPT)
{
------------>RakAssert((context->changedVariables->bitWriteIndex >> 3) < 56);
------------>if (!((context->changedVariables->bitWriteIndex >> 3) < 56))
------------>{
------------> // Crash here. Continuing execution will lead to memory corruption.
------------> // What does this mean? Too many variables to serialize. Need to split them into more replicas or increase the bitField size.
------------> *(int*)123 = 123;
------------>}
context->anyVariablesWritten|=
context->variableHistory->variableListDeltaTracker.WriteVarToBitstream(variable, context->bitStream, context->changedVariables->bitField, context->changedVariables->bitWriteIndex++);
}
else
{
if (context->variableHistoryIdentical)
{
// Identical serialization to a number of systems
if (didComparisonThisTick==false)
context->anyVariablesWritten|=
context->variableHistory->variableListDeltaTracker.WriteVarToBitstream(variable, context->bitStream);
// Else bitstream is written to at the end
}
else
{
// Per-system serialization
context->anyVariablesWritten|=
context->variableHistory->variableListDeltaTracker.WriteVarToBitstream(variable, context->bitStream);
}
}
}