From be6a6dead4870f0a4e3829c0ed9e5c34527fbb87 Mon Sep 17 00:00:00 2001 From: ManDude <7569514+ManDude@users.noreply.github.com> Date: Sun, 3 Dec 2023 09:24:34 +0000 Subject: [PATCH] [jak2] fix use-after-free bug in nav enemies (#3240) Fixes #3153 --- goal_src/jak2/engine/nav/nav-enemy.gc | 8 ++++--- .../jak2/engine/target/mech/grunt-mech.gc | 8 ++++--- .../jak2/levels/castle/boss/castle-baron.gc | 24 ++++++++++++------- .../jak2/levels/castle/roboguard-level.gc | 8 ++++--- .../city/kiddogescort/crocesc-states.gc | 8 ++++--- .../levels/city/kiddogescort/kidesc-states.gc | 8 ++++--- .../levels/city/traffic/citizen/civilian.gc | 24 ++++++++++++------- .../jak2/levels/common/enemy/fodder/fodder.gc | 16 ++++++++----- .../jak2/levels/common/enemy/metalmonk.gc | 24 ++++++++++++------- goal_src/jak2/levels/common/enemy/spyder.gc | 8 ++++--- .../jak2/levels/common/entities/spydroid.gc | 8 ++++--- goal_src/jak2/levels/mountain/rhino.gc | 8 ++++--- goal_src/jak2/levels/nest/mantis.gc | 8 ++++--- 13 files changed, 100 insertions(+), 60 deletions(-) diff --git a/goal_src/jak2/engine/nav/nav-enemy.gc b/goal_src/jak2/engine/nav/nav-enemy.gc index 5f6d56f0ed..092185489d 100644 --- a/goal_src/jak2/engine/nav/nav-enemy.gc +++ b/goal_src/jak2/engine/nav/nav-enemy.gc @@ -2598,9 +2598,11 @@ This commonly includes things such as: (t9-0) ) ) - (let ((v1-4 (-> self nav))) - (logclear! (-> v1-4 shape nav-flags) (nav-flags has-extra-sphere)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-4 (-> self nav))) + (logclear! (-> v1-4 shape nav-flags) (nav-flags has-extra-sphere)) + )) 0 ) :code (behavior () diff --git a/goal_src/jak2/engine/target/mech/grunt-mech.gc b/goal_src/jak2/engine/target/mech/grunt-mech.gc index 4f3af9efbc..bf7d3ba18e 100644 --- a/goal_src/jak2/engine/target/mech/grunt-mech.gc +++ b/goal_src/jak2/engine/target/mech/grunt-mech.gc @@ -683,9 +683,11 @@ (set! (-> v1-1 prim-core collide-as) (-> self root backup-collide-as)) (set! (-> v1-1 prim-core collide-with) (-> self root backup-collide-with)) ) - (let ((v1-2 (-> self nav))) - (logclear! (-> v1-2 shape nav-flags) (nav-flags has-extra-sphere)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-2 (-> self nav))) + (logclear! (-> v1-2 shape nav-flags) (nav-flags has-extra-sphere)) + )) 0 (logior! (-> self root nav-flags) (nav-flags has-root-sphere)) ) diff --git a/goal_src/jak2/levels/castle/boss/castle-baron.gc b/goal_src/jak2/levels/castle/boss/castle-baron.gc index 54874d51ae..0b4ca555f7 100644 --- a/goal_src/jak2/levels/castle/boss/castle-baron.gc +++ b/goal_src/jak2/levels/castle/boss/castle-baron.gc @@ -2218,14 +2218,18 @@ For example for an elevator pre-compute the distance between the first and last ) :exit (behavior () (set! (-> self next-shooting-frame) 200) - (let ((v1-1 (-> self nav))) - (set! (-> v1-1 target-speed) 122880.0) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-1 (-> self nav))) + (set! (-> v1-1 target-speed) 122880.0) + )) 0 (set! (-> *krew-boss-nav-enemy-info* run-travel-speed) 122880.0) - (let ((v1-5 (-> self nav))) - (set! (-> v1-5 sphere-mask) (the-as uint #x800f8)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-5 (-> self nav))) + (set! (-> v1-5 sphere-mask) (the-as uint #x800f8)) + )) 0 (if (logtest? (enemy-flag enemy-flag43) (-> self enemy-flags)) (logior! (-> self nav flags) (nav-control-flag update-heading-from-facing)) @@ -2997,9 +3001,11 @@ For example for an elevator pre-compute the distance between the first and last (t9-0) ) ) - (let ((v1-4 (-> self nav))) - (set! (-> v1-4 sphere-mask) (the-as uint #x800f8)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-4 (-> self nav))) + (set! (-> v1-4 sphere-mask) (the-as uint #x800f8)) + )) 0 ) :trans (behavior () diff --git a/goal_src/jak2/levels/castle/roboguard-level.gc b/goal_src/jak2/levels/castle/roboguard-level.gc index 64098efae4..1af854c869 100644 --- a/goal_src/jak2/levels/castle/roboguard-level.gc +++ b/goal_src/jak2/levels/castle/roboguard-level.gc @@ -368,9 +368,11 @@ ) :exit (behavior () (logclear! (-> self nav flags) (nav-control-flag output-sphere-hash)) - (let ((v1-2 (-> self nav))) - (logclear! (-> v1-2 shape nav-flags) (nav-flags has-extra-sphere)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-2 (-> self nav))) + (logclear! (-> v1-2 shape nav-flags) (nav-flags has-extra-sphere)) + )) 0 ) :code (behavior () diff --git a/goal_src/jak2/levels/city/kiddogescort/crocesc-states.gc b/goal_src/jak2/levels/city/kiddogescort/crocesc-states.gc index 829d66781f..600dc0f74e 100644 --- a/goal_src/jak2/levels/city/kiddogescort/crocesc-states.gc +++ b/goal_src/jak2/levels/city/kiddogescort/crocesc-states.gc @@ -601,9 +601,11 @@ (set! (-> self vehicle-handle) (the-as handle #f)) (logclear! (-> self bot-flags) (bot-flags bf16)) (logclear! (-> self focus-status) (focus-status pilot-riding pilot)) - (let ((v1-5 (-> self nav))) - (logclear! (-> v1-5 shape nav-flags) (nav-flags has-extra-sphere)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-5 (-> self nav))) + (logclear! (-> v1-5 shape nav-flags) (nav-flags has-extra-sphere)) + )) 0 (logclear! (-> self focus-status) (focus-status disable)) (let ((v1-10 (-> self enemy-flags))) diff --git a/goal_src/jak2/levels/city/kiddogescort/kidesc-states.gc b/goal_src/jak2/levels/city/kiddogescort/kidesc-states.gc index 89d8eff850..56b0ff6857 100644 --- a/goal_src/jak2/levels/city/kiddogescort/kidesc-states.gc +++ b/goal_src/jak2/levels/city/kiddogescort/kidesc-states.gc @@ -551,9 +551,11 @@ (set! (-> self vehicle-handle) (the-as handle #f)) (logclear! (-> self bot-flags) (bot-flags bf16)) (logclear! (-> self focus-status) (focus-status pilot-riding pilot)) - (let ((v1-11 (-> self nav))) - (logclear! (-> v1-11 shape nav-flags) (nav-flags has-extra-sphere)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-11 (-> self nav))) + (logclear! (-> v1-11 shape nav-flags) (nav-flags has-extra-sphere)) + )) 0 (logclear! (-> self focus-status) (focus-status disable)) (let ((v1-16 (-> self enemy-flags))) diff --git a/goal_src/jak2/levels/city/traffic/citizen/civilian.gc b/goal_src/jak2/levels/city/traffic/citizen/civilian.gc index bfd3ab1e5d..1200d1dc95 100644 --- a/goal_src/jak2/levels/city/traffic/citizen/civilian.gc +++ b/goal_src/jak2/levels/city/traffic/citizen/civilian.gc @@ -1092,9 +1092,11 @@ (set! (-> v1-5 prim-core collide-with) (-> self root backup-collide-with)) ) (logior! (-> self root nav-flags) (nav-flags has-root-sphere)) - (let ((v1-9 (-> self nav))) - (set! (-> v1-9 sphere-mask) (the-as uint #x800fe)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-9 (-> self nav))) + (set! (-> v1-9 sphere-mask) (the-as uint #x800fe)) + )) 0 ) :trans (behavior () @@ -1170,9 +1172,11 @@ (set! (-> v1-5 prim-core collide-with) (-> self root backup-collide-with)) ) (logior! (-> self root nav-flags) (nav-flags has-root-sphere)) - (let ((v1-9 (-> self nav))) - (set! (-> v1-9 sphere-mask) (the-as uint #x800fe)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-9 (-> self nav))) + (set! (-> v1-9 sphere-mask) (the-as uint #x800fe)) + )) 0 ) :trans (behavior () @@ -1594,9 +1598,11 @@ 0 ) :exit (behavior () - (let ((v1-0 (-> self nav))) - (set! (-> v1-0 sphere-mask) (the-as uint #x800fe)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-0 (-> self nav))) + (set! (-> v1-0 sphere-mask) (the-as uint #x800fe)) + )) 0 (logclear! (-> self flags) (citizen-flag persistent)) ) diff --git a/goal_src/jak2/levels/common/enemy/fodder/fodder.gc b/goal_src/jak2/levels/common/enemy/fodder/fodder.gc index 7945b518ef..4987326069 100644 --- a/goal_src/jak2/levels/common/enemy/fodder/fodder.gc +++ b/goal_src/jak2/levels/common/enemy/fodder/fodder.gc @@ -580,13 +580,17 @@ 0 ) :exit (behavior () - (let ((v1-0 (-> self nav))) - (set! (-> v1-0 target-speed) (-> self enemy-info run-travel-speed)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-0 (-> self nav))) + (set! (-> v1-0 target-speed) (-> self enemy-info run-travel-speed)) + )) 0 - (let ((v1-2 (-> self nav))) - (set! (-> v1-2 turning-acceleration) (-> self enemy-info run-turning-acceleration)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-2 (-> self nav))) + (set! (-> v1-2 turning-acceleration) (-> self enemy-info run-turning-acceleration)) + )) 0 (fodder-method-181 self #f) (if (logtest? (-> self enemy-flags) (enemy-flag check-water)) diff --git a/goal_src/jak2/levels/common/enemy/metalmonk.gc b/goal_src/jak2/levels/common/enemy/metalmonk.gc index 43d1584fe0..b35c150d29 100644 --- a/goal_src/jak2/levels/common/enemy/metalmonk.gc +++ b/goal_src/jak2/levels/common/enemy/metalmonk.gc @@ -553,13 +553,17 @@ (t9-0) ) ) - (let ((v1-4 (-> self nav))) - (set! (-> v1-4 max-rotation-rate) (-> self enemy-info maximum-rotation-rate)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-4 (-> self nav))) + (set! (-> v1-4 max-rotation-rate) (-> self enemy-info maximum-rotation-rate)) + )) 0 - (let ((v1-6 (-> self nav))) - (set! (-> v1-6 turning-acceleration) (-> self enemy-info run-turning-acceleration)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-6 (-> self nav))) + (set! (-> v1-6 turning-acceleration) (-> self enemy-info run-turning-acceleration)) + )) 0 ) :code (behavior () @@ -725,9 +729,11 @@ (logclear! (-> self enemy-flags) (enemy-flag actor-pause-backup)) (metalmonk-method-180 self #f) (nav-enemy-method-168 self) - (let ((v1-6 (-> self nav))) - (set! (-> v1-6 target-speed) (-> self enemy-info run-travel-speed)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-6 (-> self nav))) + (set! (-> v1-6 target-speed) (-> self enemy-info run-travel-speed)) + )) 0 (if (logtest? (-> self enemy-flags) (enemy-flag check-water)) (logior! (-> self focus-status) (focus-status dangerous)) diff --git a/goal_src/jak2/levels/common/enemy/spyder.gc b/goal_src/jak2/levels/common/enemy/spyder.gc index edfcb3c3c0..36b52556cd 100644 --- a/goal_src/jak2/levels/common/enemy/spyder.gc +++ b/goal_src/jak2/levels/common/enemy/spyder.gc @@ -1008,9 +1008,11 @@ ) :exit (behavior () (logclear! (-> self enemy-flags) (enemy-flag actor-pause-backup)) - (let ((v1-2 (-> self nav))) - (set! (-> v1-2 max-rotation-rate) (-> *spyder-nav-enemy-info* maximum-rotation-rate)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-2 (-> self nav))) + (set! (-> v1-2 max-rotation-rate) (-> *spyder-nav-enemy-info* maximum-rotation-rate)) + )) 0 ) :trans (behavior () diff --git a/goal_src/jak2/levels/common/entities/spydroid.gc b/goal_src/jak2/levels/common/entities/spydroid.gc index bffa560473..3c697d9d56 100644 --- a/goal_src/jak2/levels/common/entities/spydroid.gc +++ b/goal_src/jak2/levels/common/entities/spydroid.gc @@ -914,9 +914,11 @@ :exit (behavior () (logclear! (-> self enemy-flags) (enemy-flag actor-pause-backup)) (nav-enemy-method-168 self) - (let ((v1-4 (-> self nav))) - (set! (-> v1-4 target-speed) (-> self enemy-info run-travel-speed)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-4 (-> self nav))) + (set! (-> v1-4 target-speed) (-> self enemy-info run-travel-speed)) + )) 0 (if (logtest? (-> self enemy-flags) (enemy-flag check-water)) (logior! (-> self focus-status) (focus-status dangerous)) diff --git a/goal_src/jak2/levels/mountain/rhino.gc b/goal_src/jak2/levels/mountain/rhino.gc index b0748e50da..92d02779b0 100644 --- a/goal_src/jak2/levels/mountain/rhino.gc +++ b/goal_src/jak2/levels/mountain/rhino.gc @@ -1282,9 +1282,11 @@ (set! (-> v1-1 speed) 0.0) ) 0 - (let ((v1-3 (-> self nav))) - (set! (-> v1-3 target-speed) (-> self enemy-info walk-travel-speed)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-3 (-> self nav))) + (set! (-> v1-3 target-speed) (-> self enemy-info walk-travel-speed)) + )) 0 (set! (-> self in-stop-run) #f) ) diff --git a/goal_src/jak2/levels/nest/mantis.gc b/goal_src/jak2/levels/nest/mantis.gc index 55d3d815c2..ffa71b3671 100644 --- a/goal_src/jak2/levels/nest/mantis.gc +++ b/goal_src/jak2/levels/nest/mantis.gc @@ -748,9 +748,11 @@ ) :exit (behavior () (change-to (nav-mesh-from-res-tag (-> self entity) 'nav-mesh-actor 0) self) - (let ((v1-2 (-> self nav))) - (set! (-> v1-2 max-rotation-rate) (-> self enemy-info maximum-rotation-rate)) - ) + ;; og:preserve-this fix potential use-after-free bug + (if (-> self nav) + (let ((v1-2 (-> self nav))) + (set! (-> v1-2 max-rotation-rate) (-> self enemy-info maximum-rotation-rate)) + )) 0 ) :trans (behavior ()