fix(aiupdate): Fix XFER and CRC of AIUpdateInterface::m_guardTargetType (TheSuperHackers#2662)

Author: Caball009

Generals/Code/GameEngine/Source/GameLogic/Object/Update/AIUpdate.cpp

@@ -4808,12 +4808,21 @@ void AIUpdateInterface::crc( Xfer *x )
 // ------------------------------------------------------------------------------------------------
 /** Xfer method
 	* Version Info:
-	* 1: Initial version */
+	* 1: Initial version, contains specific surrender and demoralize variables
+	* 2: Added m_demoralizedFramesLeft (behind ALLOW_DEMORALIZE)
+	* 3: Removed lastFrameMoved and repulsorCountdown; removed surrender and demoralize variables
+	* 4: Read m_curLocomotorSet from ini
+	* 5: TheSuperHackers @fix Fixed out-of-bounds xfer of m_guardTargetType
+	*/
 // ------------------------------------------------------------------------------------------------
 void AIUpdateInterface::xfer( Xfer *xfer )
 {
   // version
-  const XferVersion currentVersion = 4;
+#if RETAIL_COMPATIBLE_CRC || RETAIL_COMPATIBLE_XFER_SAVE
+	const XferVersion currentVersion = 4;
+#else
+	const XferVersion currentVersion = 5;
+#endif
   XferVersion version = currentVersion;
   xfer->xferVersion( &version, currentVersion );
 
@@ -4830,8 +4839,22 @@ void AIUpdateInterface::xfer( Xfer *xfer )
 	xfer->xferObjectID(&m_currentVictimID);
 	xfer->xferReal(&m_desiredSpeed);
 	xfer->xferUser(&m_lastCommandSource, sizeof(m_lastCommandSource));
-	xfer->xferUser(&m_guardTargetType[0], sizeof(m_guardTargetType));
-	xfer->xferUser(&m_guardTargetType[1], sizeof(m_guardTargetType));
+
+	if (version < 5)
+	{
+		// TheSuperHackers @fix The original code effectively accessed m_guardTargetType[0], [1], [1], [2].
+		// The last one is out-of-bounds and points to m_locationToGuard.
+		static_assert(sizeof(m_locationToGuard) >= sizeof(m_guardTargetType[2]), "Xfer size must not exceed variable size");
+
+		xfer->xferUser(&m_guardTargetType[0], sizeof(m_guardTargetType));
+		xfer->xferUser(&m_guardTargetType[1], sizeof(m_guardTargetType[1]));
+		xfer->xferUser(&m_locationToGuard, sizeof(m_guardTargetType[2]));
+	}
+	else
+	{
+		xfer->xferUser(m_guardTargetType, sizeof(m_guardTargetType));
+	}
+
 	xfer->xferCoord3D(&m_locationToGuard);
 
 	xfer->xferObjectID(&m_objectToGuard);

GeneralsMD/Code/GameEngine/Source/GameLogic/Object/Update/AIUpdate.cpp

@@ -5056,12 +5056,21 @@ void AIUpdateInterface::crc( Xfer *x )
 // ------------------------------------------------------------------------------------------------
 /** Xfer method
 	* Version Info:
-	* 1: Initial version */
+	* 1: Initial version, contains specific surrender and demoralize variables
+	* 2: Added m_demoralizedFramesLeft (behind ALLOW_DEMORALIZE)
+	* 3: Removed lastFrameMoved and repulsorCountdown; removed surrender and demoralize variables
+	* 4: Read m_curLocomotorSet from ini
+	* 5: TheSuperHackers @fix Fixed out-of-bounds xfer of m_guardTargetType
+	*/
 // ------------------------------------------------------------------------------------------------
 void AIUpdateInterface::xfer( Xfer *xfer )
 {
   // version
-  const XferVersion currentVersion = 4;
+#if RETAIL_COMPATIBLE_CRC || RETAIL_COMPATIBLE_XFER_SAVE
+	const XferVersion currentVersion = 4;
+#else
+	const XferVersion currentVersion = 5;
+#endif
   XferVersion version = currentVersion;
   xfer->xferVersion( &version, currentVersion );
 
@@ -5078,8 +5087,22 @@ void AIUpdateInterface::xfer( Xfer *xfer )
 	xfer->xferObjectID(&m_currentVictimID);
 	xfer->xferReal(&m_desiredSpeed);
 	xfer->xferUser(&m_lastCommandSource, sizeof(m_lastCommandSource));
-	xfer->xferUser(&m_guardTargetType[0], sizeof(m_guardTargetType));
-	xfer->xferUser(&m_guardTargetType[1], sizeof(m_guardTargetType));
+
+	if (version < 5)
+	{
+		// TheSuperHackers @fix The original code effectively accessed m_guardTargetType[0], [1], [1], [2].
+		// The last one is out-of-bounds and points to m_locationToGuard.
+		static_assert(sizeof(m_locationToGuard) >= sizeof(m_guardTargetType[2]), "Xfer size must not exceed variable size");
+
+		xfer->xferUser(&m_guardTargetType[0], sizeof(m_guardTargetType));
+		xfer->xferUser(&m_guardTargetType[1], sizeof(m_guardTargetType[1]));
+		xfer->xferUser(&m_locationToGuard, sizeof(m_guardTargetType[2]));
+	}
+	else
+	{
+		xfer->xferUser(m_guardTargetType, sizeof(m_guardTargetType));
+	}
+
 	xfer->xferCoord3D(&m_locationToGuard);
 
 	xfer->xferObjectID(&m_objectToGuard);