Context
The Recast module has a helper struct rcScopedDelete for allocating, resizing and automatically freeing the allocated memory when the struct goes out of scope. Its allocation functions can be overridden, but by default it calls alloc, memcpy and free.
Problem
rcScopedDelete's implementation of resize copies an incorrect number of elements from the array when growing the array:
bool rcScopedDelete<T>::resizeGrow(int n)
It copies 'n' elements which is the new larger size, rather than 'size' elements which is the old size. This means read-accessing memory beyond the bounds of the previous allocated memory for the array.
This is bad but in general doesn't cause crashes. On rare occasions memory is read that's not allocated to the process, which can lead the OS to throw a segfault. Users have ran into this on their dedicated servers.
Difficult to repro segfault, but inspection of code reveals the logical error. See description.
Full callstack was not reported.
rcScopedDelete<T>::resizeGrow()
There's no existing public thread on this issue, so head over to Questions & Answers just mention UE-229635 in the post.
| 0 |
| Component | UE - AI - Navigation |
|---|---|
| Affects Versions | 5.4 |
| Target Fix | 5.6 |
| Fix Commit | 37789076 |
|---|
| Created | Nov 5, 2024 |
|---|---|
| Resolved | Nov 5, 2024 |
| Updated | Nov 7, 2024 |