You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Crash logs are from 20190603-master-g846fc8fe09, but this bug has probably been in the game since NoAI/NoGo has been implemented.
Expected result
array(2147483648) and up should throw an error couldn't create/resize an array of/to size 2147483648, where the 2147483648 should be replaced with any number greater than or equal.
Actual result
array(2147483648) crashes the game in a number of different possible ways.
The game can close itself with no error message. This can create, or not create a crash log.
An OS system message "OpenTTD has stopped working" appears. No crash log is generated.
OpenTTD tries to allocate memory for the array (the amount allocated is the size times 12, mod 4294967296). If the truncated allocation succeeds, OpenTTD crashes. Otherwise, OpenTTD still crashes, but due to an out of memory error.
In Start() of any AI or Game Script, put array(N) but replace N with the array size you want to test. Then run the script ingame. If N < 2147483648 and you have enough RAM, OpenTTD does not crash. Otherwise, OpenTTD will crash as described above.
Example code (main.nut):
class Test extends ScriptController // replace Script with AI or GS.
{
}
function Test::Start() {
local x = array(N); // replace N with the array size you want.
}
The text was updated successfully, but these errors were encountered:
It's difficult to safely limit Squirrel memory allocations without modifying the core Squirrel runtime. I did originally try to block allocations in #7516 if they broke the limit, but it turned out Squirrel did not handle failing allocations, and it made it impossible to recover from.
Are you testing with 32 bit or 64 bit builds? In 64 bit builds an allocations of 2**31 should technically be able to succeed, but I don't know if the allocator is happy with it still.
Regardless, I don't consider this a security issue at least, more of a "well don't do that then".
All of my builds that I've used (since 2017) have been 32-bit. This is because I have a 32-bit system.
Why does this have to do with the allocator, even though the array size being at least 2**31 should already have been invalid? Other languages and compilers throw an error with array sizes greater than 2**31. Why not OpenTTD's version of Squirrel?
Version of OpenTTD
Crash logs are from 20190603-master-g846fc8fe09, but this bug has probably been in the game since NoAI/NoGo has been implemented.
Expected result
array(2147483648)
and up should throw an errorcouldn't create/resize an array of/to size 2147483648
, where the2147483648
should be replaced with any number greater than or equal.Actual result
array(2147483648)
crashes the game in a number of different possible ways.Crash log 1
Crash log 2
Crash log 3
Crash log 4
Steps to reproduce
In Start() of any AI or Game Script, put
array(N)
but replace N with the array size you want to test. Then run the script ingame. If N < 2147483648 and you have enough RAM, OpenTTD does not crash. Otherwise, OpenTTD will crash as described above.Example code (main.nut):
The text was updated successfully, but these errors were encountered: