[HL25] Crash with too long string in autocomplete prompts in the client console
Splatt581 opened this issue · comments
The game client crashes if the autocomplete prompts in the console receive a string that is too long.
How to reproduce:
- Type or manually paste a long string such as
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
into the client console and execute it. - Now, while in the console, press the up button (UPARROW) or down button (DOWNARROW), the client will try to insert the last executed string into autocomplete and crash.
This bug does not work in the steam_legacy
branch.
Bug №2:
Also, if you try to paste and execute the above long string into the HLDS server console with VGUI, it will cause Assertion failed.
I was unable to reproduce it on Linux, but works with Windows.
I believe the game crashes when retrieving a previously entered console command of 254 characters, but not with 253 characters, which might be due to a buffer overflow caused by an off-by-one error in the handling of input history.
Here's the crash analysis with stack trace:
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify timestamp for SDL2.dll
*** WARNING: Unable to verify checksum for chromehtml.dll
KEY_VALUES_STRING: 1
Key : AV.Fault
Value: Write
Key : Analysis.CPU.mSec
Value: 1858
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 203786
Key : Analysis.Init.CPU.mSec
Value: 1139
Key : Analysis.Init.Elapsed.mSec
Value: 74926
Key : Analysis.Memory.CommitPeak.Mb
Value: 176
Key : Timeline.OS.Boot.DeltaSec
Value: 261600
Key : Timeline.Process.Start.DeltaSec
Value: 70
Key : WER.OS.Branch
Value: ni_release
Key : WER.OS.Timestamp
Value: 2022-05-06T12:50:00Z
Key : WER.OS.Version
Value: 10.0.22621.1
Key : WER.Process.Version
Value: 1.1.1.1
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 62a19952 (gameui!CreateInterface+0x00023962)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 20def1b3
Attempt to write to address 20def1b3
FAULTING_THREAD: 00005f98
PROCESS_NAME: hl.exe
WRITE_ADDRESS: 20def1b3
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 20def1b3
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00def1a8 62a19aec 00000058 25731ce0 00000012 gameui!CreateInterface+0x23962
00def1bc 62a395e3 00000058 7973bbcb 25731ce0 gameui!CreateInterface+0x23afc
00def1e8 62a3ac2b 00000058 664f6560 664f2248 gameui!CreateInterface+0x435f3
00def228 664e380a 3c154818 00000000 664f6560 gameui!CreateInterface+0x44c3b
00def25c 664e4ad9 10a650c6 00000000 00def378 vgui2+0x1380a
00def298 50c8c47a 00000000 00def378 6b860000 vgui2+0x14ad9
00def2ac 50c8baee 000002de 00000085 00000780 hw!vgui::Frame::operator=+0x180a
00def2e0 50cad8af 00def378 9614a9db 403b4dd3 hw!vgui::Frame::operator=+0xe7e
00def2f4 50c34792 00def378 07a38664 0000014c hw!vgui::Frame::operator=+0x22c3f
00def330 50c3291e 363be7a2 00000000 50d7db98 hw!vgui::Dar<vgui::InputSignal *>::getCount+0x3c9d2
00def35c 50c811f9 363be7a2 00000001 00def378 hw!vgui::Dar<vgui::InputSignal *>::getCount+0x3ab5e
00def37c 50c8091b 50d28000 00def3d0 50c802f8 hw!F+0x299
00def388 50c802f8 00b30000 00b36348 09366980 hw!vgui::Dar<vgui::InputSignal *>::getCount+0x88b5b
00def3d0 00b3159c 00b30000 00b36348 09366980 hw!vgui::Dar<vgui::InputSignal *>::getCount+0x88538
00def8b4 00b32e48 00b30000 00000000 014429a9 hl+0x159c
00def900 751f7ba9 00e8f000 751f7b90 00def968 hl!CreateInterface+0x1458
00def910 770bbd2b 00e8f000 9aa0db23 00000000 KERNEL32!BaseThreadInitThunk+0x19
00def968 770bbcaf ffffffff 770e92c6 00000000 ntdll_77050000!__RtlUserThreadStart+0x2b
00def978 00000000 00b32ecc 00e8f000 00000000 ntdll_77050000!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
SYMBOL_NAME: gameui+23962
MODULE_NAME: gameui
IMAGE_NAME: gameui.dll
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_gameui.dll!Unknown
OS_VERSION: 10.0.22621.1
BUILDLAB_STR: ni_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {e2e6686e-1afe-11c1-8924-e10db4b5316a}
Followup: MachineOwner
---------