Description

Context

The Recast module has a helper struct rcScopedDelete for allocating, resizing and automatically freeing the allocated memory when the struct goes out of scope. Its allocation functions can be overridden, but by default it calls alloc, memcpy and free.

Problem

rcScopedDelete's implementation of resize copies an incorrect number of elements from the array when growing the array:

bool rcScopedDelete<T>::resizeGrow(int n) 

It copies 'n' elements which is the new larger size, rather than 'size' elements which is the old size. This means read-accessing memory beyond the bounds of the previous allocated memory for the array.

This is bad but in general doesn't cause crashes. On rare occasions memory is read that's not allocated to the process, which can lead the OS to throw a segfault. Users have ran into this on their dedicated servers.

Steps to Reproduce

Difficult to repro segfault, but inspection of code reveals the logical error. See description.

Callstack

Full callstack was not reported.

rcScopedDelete<T>::resizeGrow()

Have Comments or More Details?

There's no existing public thread on this issue, so head over to Questions & Answers just mention UE-229635 in the post.

0
Login to Vote

Fixed
ComponentUE - AI - Navigation
Affects Versions5.4
Target Fix5.6
Fix Commit37789076
CreatedNov 5, 2024
ResolvedNov 5, 2024
UpdatedNov 7, 2024
View Jira Issue