Author Topic: Memory Corruption Bug in Plugin v4.22.0.33  (Read 809 times)

We discovered a memory corruption bug in the plugin that occurs during the deserialization of a USubstanceGraphInstance in USubstanceGraphInstance::SerializeCurrent().

The problem is that a string that is possibly not null-terminated is passed to SubstanceAir::parsePreset(), which requires a null-terminated string.

To repro:
  • Start the project with the -stompmalloc argument
  • Load an SubstanceGraphInstance which presetSize is divisible by 8 (in our case it was 5344)
  • CRASH!

This is our fix in SubstanceGraphInstance.cpp:

Before:
Code: [Select]
if (presetsSize > 0)
{
    char* presetData = new char[presetsSize];

    Ar.ByteOrderSerialize(presetData, presetsSize);

    SubstanceAir::parsePreset(*InstancePreset.Get(), presetData);
    delete[] presetData;

    //Handle transacting
    if (Ar.IsTransacting() && Instance && InstancePreset->mPackageUrl == Instance->mDesc.mPackageUrl)
    {
        InstancePreset->apply(*Instance);
    }
}

After:
Code: [Select]
if (presetsSize > 0)
{
    TArray<char> presetData;
    presetData.SetNumUninitialized(presetsSize + 1);

    Ar.ByteOrderSerialize(presetData.GetData(), presetsSize);
    presetData[presetsSize] = '\0';
    SubstanceAir::parsePreset(*InstancePreset.Get(), presetData.GetData());

    //Handle transacting
    if (Ar.IsTransacting() && Instance && InstancePreset->mPackageUrl == Instance->mDesc.mPackageUrl)
    {
        InstancePreset->apply(*Instance);
    }
}