Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Crash]: Nullptr dereference can occur in check for whether RealSpriteGroup contains only one value #12685

Closed
JGRennison opened this issue May 15, 2024 · 0 comments
Closed

[Crash]: Nullptr dereference can occur in check for whether RealSpriteGroup contains only one value #12685

JGRennison opened this issue May 15, 2024 · 0 comments

Comments

@JGRennison
Copy link
Contributor

Version of OpenTTD

Since #9344

Steps to reproduce

In newgrf.cpp

if (std::adjacent_find(loaded.begin(),  loaded.end(),  std::not_equal_to<>()) == loaded.end() &&
	std::adjacent_find(loading.begin(), loading.end(), std::not_equal_to<>()) == loading.end() &&
	loaded[0] == loading[0])

If on or other of these is empty, and the other has at least two entries which are all the same, then the prior num_loaded + num_loading == 0 and num_loaded + num_loading == 1 cases aren't met, and then loaded[0]/loading[0] can index into an empty vector (i.e. nullptr dereference).

Upload crash files

I don't have access to the GRF(s) which generated the crash report which highlighted this issue.
PeterN added a commit to PeterN/OpenTTD that referenced this issue May 15, 2024
@PeterN
Fix OpenTTD#12685: nullptr deference when checking for equal loaded/l…
b687249 
…oading groups.

Always treat empty groups as non-equal. Given that the case both being empty is handled earlier, they cannot both be empty.

Additionally if a loaded or loading are all the same, only add one reference.
PeterN added a commit to PeterN/OpenTTD that referenced this issue May 15, 2024
@PeterN
Fix OpenTTD#12685: nullptr dereference when checking for equal loaded…
166e68a 
…/loading groups.

Always treat empty groups as non-equal. Given that the case both being empty is handled earlier, they cannot both be equal and empty.

Additionally if a loaded or loading set are all the same, only add one reference.
@PeterN PeterN mentioned this issue May 15, 2024
Merged
@PeterN PeterN closed this as completed in 856ec90 May 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JGRennison