Test crash fix (avert) for old, Top 10 crash: SA @ 0x011630F8

Dutchman101 · Dutchman101 · commit e6d967013a0e · 2026-02-13T02:56:30.000+01:00
diff --git a/Client/game_sa/CRenderWareSA.cpp b/Client/game_sa/CRenderWareSA.cpp
@@ -1008,14 +1008,20 @@ CColModel* CRenderWareSA::ReadCOL(const SString& buffer)
 
     // Ensure shadow data consistency to prevent crash in GTA's stencil shadow rendering
     // GTA accesses shadow vertices without NULL checks, causing crash if pointer is NULL but count is non-zero
+    // Also cap counts to catch corrupt data before CCollisionData::Copy amplifies it into an out-of-bounds read
     auto* pInterface = pColModel->GetInterface();
     if (pInterface && pInterface->m_data)
     {
         auto* pData = pInterface->m_data;
 
-        // shadow counts indicate data exists but pointers are NULL
-        const bool shadowVertsCorrupt = pData->m_numShadowVertices > 0 && pData->m_shadowVertices == nullptr;
-        const bool shadowTrisCorrupt = pData->m_numShadowTriangles > 0 && pData->m_shadowTriangles == nullptr;
+        constexpr std::uint32_t MAX_SHADOW_VERTICES = 10000;
+        constexpr std::uint32_t MAX_SHADOW_TRIANGLES = 5000;
+
+        // shadow counts indicate data exists but pointers are NULL, or counts are beyond any legitimate model
+        const bool shadowVertsCorrupt =
+            (pData->m_numShadowVertices > 0 && pData->m_shadowVertices == nullptr) || pData->m_numShadowVertices > MAX_SHADOW_VERTICES;
+        const bool shadowTrisCorrupt =
+            (pData->m_numShadowTriangles > 0 && pData->m_shadowTriangles == nullptr) || pData->m_numShadowTriangles > MAX_SHADOW_TRIANGLES;
 
         if (shadowVertsCorrupt || shadowTrisCorrupt)
         {
diff --git a/Client/multiplayer_sa/CMultiplayerSA_CrashFixHacks.cpp b/Client/multiplayer_sa/CMultiplayerSA_CrashFixHacks.cpp
@@ -17,6 +17,7 @@
 #include "../game_sa/TaskBasicSA.h"
 #include "../game_sa/CFxSystemBPSA.h"
 #include "../game_sa/CFxSystemSA.h"
+#include "../game_sa/CColModelSA.h"
 
 extern CCoreInterface* g_pCore;
 
@@ -3098,6 +3099,46 @@ static void __declspec(naked) HOOK_CFire_ProcessFire()
     // clang-format on
 }
 
+//////////////////////////////////////////////////////////////////////////////////////////
+//
+// CColModel::MakeMultipleAlloc - Validate collision data before converting
+// single-allocation to multi-allocation format via CCollisionData::Copy.
+//
+// Corrupt collision data (e.g. from PC_Scratch buffer overflow) can produce
+// bogus shadow vertex/triangle counts, causing Copy to read past allocations.
+//
+//////////////////////////////////////////////////////////////////////////////////////////
+#define HOOKPOS_CColModel_MakeMultipleAlloc  0x40F740
+#define HOOKSIZE_CColModel_MakeMultipleAlloc 5
+static void __fastcall HOOK_CColModel_MakeMultipleAlloc(CColModelSAInterface* pColModel, void*)
+{
+    if (CColDataSA* pData = pColModel->m_data)
+    {
+        constexpr std::uint32_t MAX_SHADOW_TRIANGLES = 5000;
+        constexpr std::uint32_t MAX_SHADOW_VERTICES = 10000;
+
+        const bool shadowCorrupt = pData->m_numShadowTriangles > MAX_SHADOW_TRIANGLES || pData->m_numShadowVertices > MAX_SHADOW_VERTICES ||
+                                   (pData->m_numShadowVertices > 0 && !pData->m_shadowVertices) ||
+                                   (pData->m_numShadowTriangles > 0 && !pData->m_shadowTriangles);
+
+        if (shadowCorrupt)
+        {
+            pData->m_numShadowTriangles = 0;
+            pData->m_numShadowVertices = 0;
+            pData->m_shadowVertices = nullptr;
+            pData->m_shadowTriangles = nullptr;
+            pData->m_hasShadowInfo = 0;
+            pData->m_hasShadow = 0;
+
+            OnCrashAverted(9801);
+        }
+    }
+
+    // Call the original MakeMultipleAlloc
+    using MakeMultipleAlloc_t = void(__thiscall*)(CColModelSAInterface*);
+    reinterpret_cast<MakeMultipleAlloc_t>(0x1564A10)(pColModel);
+}
+
 //////////////////////////////////////////////////////////////////////////////////////////
 //
 // Setup hooks for CrashFixHacks
@@ -3169,6 +3210,8 @@ void CMultiplayerSA::InitHooks_CrashFixHacks()
     EZHookInstall(FxPrim_c__Enable);
     EZHookInstall(CFire_ProcessFire);
 
+    EZHookInstall(CColModel_MakeMultipleAlloc);
+
     // Install train crossing crashfix (the temporary variable is required for the template logic)
     void (*temp)() = HOOK_TrainCrossingBarrierCrashFix<RETURN_CObject_Destructor_TrainCrossing_Check, RETURN_CObject_Destructor_TrainCrossing_Invalid>;
     HookInstall(HOOKPOS_CObject_Destructor_TrainCrossing_Check, (DWORD)temp, 5);
