When exactly four bytes remain, mvelib will attempt to compute a
past-the-end pointer. Some handlers will dereference this pointer
without rechecking the length. Adjust the header check to require a
non-empty body.
Reported-by: jwrdegoede <https://github.com/dxx-rebirth/dxx-rebirth/issues/413>
PHYSFS_init is not guaranteed to succeed. Using PHYSFS functions after
PHYSFS_init fails is likely to fail badly. On Windows, failure may take
the form of a crash in ntdll. Avoid this by exiting gracefully.
Commit 88b5e616a9 ("Replace calls to
window_set_visible in DoPlayerDead() with stop/start_time()") switched
from hiding the game window to only stopping time, and that only if
hiding the window would have stopped time. In multiplayer, this allows
time to continue running. This introduced a crash if the player dies
during the mine countdown. When the player dies, the game checks if the
reactor has been destroyed. If so, the game immediately advances to the
next level. That advance will try to draw the game window if it is
visible. When the window is drawn, if time is not stopped, then game
logic runs. Some of that logic is not prepared to deal with the
inconsistent state present when a new level is only partially loaded.
That inconsistent state then causes a crash. Call stack:
#11 slew_frame () at similar/main/slew.cpp:152
#12 in d2x::object_move_one () at similar/main/object.cpp:1758
#13 in d2x::object_move_all () at similar/main/object.cpp:1956
#14 in d2x::GameProcessFrame () at similar/main/game.cpp:1848
#15 d2x::game_handler () at similar/main/game.cpp:1615
#16 in dcx::window_send_event () at common/include/window.h:116
#17 dcx::event_process () at common/arch/sdl/event.cpp:176
#18 in newmenu_do2 () at similar/main/newmenu.cpp:498
#19 in newmenu_do2<dcx::unused_newmenu_userdata_t> () at common/main/newmenu.h:184
#20 newmenu_do<dcx::unused_newmenu_userdata_t const> () at common/main/newmenu.h:190
#21 newmenu_do<1ul, dcx::unused_newmenu_userdata_t const> () at common/main/newmenu.h:196
#22 net_udp_wait_for_requests () at similar/main/net_udp.cpp:4563
#23 net_udp_level_sync () at similar/main/net_udp.cpp:4607
#24 in multi_level_sync () at similar/main/multi.cpp:3458
#25 in d2x::StartNewLevelSub () at similar/main/gameseq.cpp:1803
#26 in d2x::StartNewLevel () at similar/main/gameseq.cpp:2018
#27 in d2x::AdvanceLevel () at similar/main/gameseq.cpp:1648
#28 in d2x::DoPlayerDead () at similar/main/gameseq.cpp:1721
The root cause of this is the layering violation:
- Killing the player can have the side effect of advancing the level
- Advancing the level can have the side effect of calling multiplayer code while the level data is in an inconsistent state
- Calling multiplayer code can cause the event system to redraw the game
- Redrawing the game can cause game logic to run
Hack around this by restoring the logic that hides the game window, so
that the window is not redrawn and the game logic is not run. This does
not fix the layering problem, but prevents crashing affected users. To
avoid undoing the feature from the breaking commit, hide the window only
when advancing to a new level, rather than unconditionally. A player
advancing to a new level already lacks the move-at-cold-start capability
even on successfully escaping the mine, so no functionality is lost with
this change. Players who are dead and do not advance to a new level
retain that capability.
Fixes: 88b5e616a9 ("Replace calls to window_set_visible in DoPlayerDead() with stop/start_time()")
Reported-by: Ninjared <https://forum.dxx-rebirth.com/showthread.php?tid=1097>
- Raise the player limit to 8.
- Remove the logic that forces player counts up/down when switching
between cooperative and deathmatch game modes.
- Add heuristics to add start positions for the extra players, since
standard maps will not have the required number of starts.