Skip to content

Fix Heap buffer overflow in Animation::_find() #106654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix Heap buffer overflow in Animation::_find() #106654

wants to merge 1 commit into from
+1 −1

Conversation

jamie-pate
Copy link
Contributor

Fixes #106647

middle can be set to -1 and then used as an index in keys, which causes a heap buffer underflow.

@jamie-pate jamie-pate requested a review from a team as a code owner May 20, 2025 22:27
clayjohn
clayjohn reviewed May 20, 2025
View reviewed changes
scene/resources/animation.cpp Outdated
@@ -2441,7 +2441,7 @@ int Animation::_find(const Vector<K> &p_keys, double p_time, bool p_backward, bo
}
}

if (p_limit) {
if (p_limit && middle > -1) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we still want the error if middle is -1?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error says 'found the key' but if middle is -1 then we didn't find the key (binary search has gone off the left side of the array)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error is specifically for if a valid key is found but it's outside the animation's range; from the usage of this method both -1 and len are valid return values. With that in mind this check should cover both bounds - p_limit && middle > -1 && middle < len.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the answers!

That makes sense. And also makes sense why we would want to also check that middle < len

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

TokageItLab
TokageItLab approved these changes May 21, 2025
View reviewed changes
Copy link
Member

@TokageItLab TokageItLab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, this was my fault. Thanks for the follow up!

@TokageItLab TokageItLab added this to the 4.5 milestone May 21, 2025
@TokageItLab TokageItLab added bug crash topic:animation cherrypick:4.4 Considered for cherry-picking into a future 4.4.x release cherrypick:4.3 Considered for cherry-picking into a future 4.3.x release labels May 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a-johnston a-johnston a-johnston left review comments

@clayjohn clayjohn clayjohn left review comments

@TokageItLab TokageItLab TokageItLab approved these changes

Assignees
No one assigned
Labels
bug cherrypick:4.3 Considered for cherry-picking into a future 4.3.x release cherrypick:4.4 Considered for cherry-picking into a future 4.4.x release crash topic:animation
Projects
None yet
Milestone
4.5
Development

Successfully merging this pull request may close these issues.

Heap buffer overflow in Animation::_find()
4 participants
@jamie-pate @a-johnston @clayjohn @TokageItLab