Fix potential OOB access during huffman decompression

[Caball009]

If 'readsize' is equal to the size of the input buffer, there's potentially OOB access because the while loop increases the bit offset and only checks the nodes from the huffman tree and not whether the number of bits exceeds 'readsize'. This won't lead to problems if the size of input buffer is greater than 'readsize' but still a design flaw.

[ghost]

Hi, why this is not merged?
Is it because the cod4x modified MSG_ReadBitsCompress and the check decompressMsg.cursize == decompressMsg.maxsize are enough to prevent control access?

Can't server still get crashed if not fixing Huff_offsetReceive? (ioquake/ioq3@d2b1d12)

@proxict
@IceNinjaman

[ghost]

ah my bad, i thought this project was still active

[proxict]

Hi, it's not merged because it's not tested yet.
There are currently other things being worked on in cod4x in the background.

[ghost]

Hi, it's not merged because it's not tested yet. There are currently other things being worked on in cod4x in the background.

Ah ok, some exploits don't seem easy to do
i prefer to test securities before adding them too, but when i see it's too hard for me, i prefer to add anyway, rather than hoping someday i would manage to test, if it's not too late

[proxict]

If this bug was easily exploitable, it wouldn't have been publicly disclosed before fixing it.