Context
The Recast module has a helper struct rcScopedDelete for allocating, resizing and automatically freeing the allocated memory when the struct goes out of scope. Its allocation functions can be overridden, but by default it calls alloc, memcpy and free.
Problem
rcScopedDelete's implementation of resize copies an incorrect number of elements from the array when growing the array:
bool rcScopedDelete<T>::resizeGrow(int n)
It copies 'n' elements which is the new larger size, rather than 'size' elements which is the old size. This means read-accessing memory beyond the bounds of the previous allocated memory for the array.
This is bad but in general doesn't cause crashes. On rare occasions memory is read that's not allocated to the process, which can lead the OS to throw a segfault. Users have ran into this on their dedicated servers.
Difficult to repro segfault, but inspection of code reveals the logical error. See description.
Full callstack was not reported.
rcScopedDelete<T>::resizeGrow()
I am not able to find world outliner how to enable it?
How does TextureRenderTarget2D get TArray<uint8> type data?
How can i modify the param name in EQS node
How to achieve HLSL Multiple Render Target in Material blueprints?
What method is used to fill polygonal regions when drawing spline mesh at run time?
Delay nodes occasionally don't fire the "Completed" output in a nativized build
Undefined sysmbol: typeinfo for AActor when cross-compile linux dedicated server on windows
There's no existing public thread on this issue, so head over to Questions & Answers just mention UE-229635 in the post.
0 |
Component | UE - AI - Navigation |
---|---|
Affects Versions | 5.4 |
Target Fix | 5.6 |
Fix Commit | 37789076 |
---|
Created | Nov 5, 2024 |
---|---|
Resolved | Nov 5, 2024 |
Updated | Nov 7, 2024 |