Summary
A replay response length overflow can cause replay hallucination.
Replay response lengths are stored as uint8_t, but the server may record client response payloads larger than 255 bytes. When this happens, the stored length overflows/truncates to one byte.
For example:
- a response length of 260 is stored as 4
- a response length of 512 is stored as 0
The replay reader then consumes only the truncated length for the current response, while the remaining bytes stay in the replay response stream and may be interpreted as future responses.
Actual Behavior
A modified client can send an oversized response whose leading bytes are accepted by the duel core.
The live duel may continue normally, but the replay records:
- a truncated
uint8_t response length
- the full oversized response payload
During playback, the replay may consume the extra bytes as later responses. This can create a replay hallucination: the replay appears to show actions or choices that did not actually happen in the live duel.
Expected Behavior
Replay response length must not overflow or truncate.
The server should never write a response payload whose length cannot be represented correctly by the replay format. Replay playback should faithfully represent the actual accepted duel flow, with no extra client-supplied trailing bytes becoming future responses.
Impact
This is a replay integrity issue.
A malicious modified client may be able to inject additional replay response data by abusing uint8_t length overflow. In tournament or ranked environments, this can make replay evidence unreliable.
In the worst case, a replay may remain playable but hallucinate a different duel sequence, such as showing a player making choices or mistakes that they did not make during the actual duel.
Suggested Fix
The server should prevent uint8_t replay response length overflow.
Possible fixes include:
- Reject
CTOS_RESPONSE payloads larger than 255 bytes.
- Clamp recorded response payloads to the canonical response size for the current prompt.
- Record only normalized accepted response bytes.
- Avoid writing oversized raw client response data into replay files.
The key requirement is that replay response length and replay response payload size must always match exactly.
Summary
A replay response length overflow can cause replay hallucination.
Replay response lengths are stored as
uint8_t, but the server may record client response payloads larger than 255 bytes. When this happens, the stored length overflows/truncates to one byte.For example:
The replay reader then consumes only the truncated length for the current response, while the remaining bytes stay in the replay response stream and may be interpreted as future responses.
Actual Behavior
A modified client can send an oversized response whose leading bytes are accepted by the duel core.
The live duel may continue normally, but the replay records:
uint8_tresponse lengthDuring playback, the replay may consume the extra bytes as later responses. This can create a replay hallucination: the replay appears to show actions or choices that did not actually happen in the live duel.
Expected Behavior
Replay response length must not overflow or truncate.
The server should never write a response payload whose length cannot be represented correctly by the replay format. Replay playback should faithfully represent the actual accepted duel flow, with no extra client-supplied trailing bytes becoming future responses.
Impact
This is a replay integrity issue.
A malicious modified client may be able to inject additional replay response data by abusing
uint8_tlength overflow. In tournament or ranked environments, this can make replay evidence unreliable.In the worst case, a replay may remain playable but hallucinate a different duel sequence, such as showing a player making choices or mistakes that they did not make during the actual duel.
Suggested Fix
The server should prevent
uint8_treplay response length overflow.Possible fixes include:
CTOS_RESPONSEpayloads larger than 255 bytes.The key requirement is that replay response length and replay response payload size must always match exactly.