fix(RCE): patches various RCE exploits present in QoS

ujicos · ujicos · commit 557a25e5a474 · 2026-05-11T19:36:44.000+02:00
diff --git a/src/component/engine/patches/patches.cpp b/src/component/engine/patches/patches.cpp
@@ -33,6 +33,27 @@ namespace patches
 
 	namespace
 	{
+		constexpr std::size_t k_huffman_max_decoded_bytes = 0x20000;
+		constexpr std::size_t k_huffman_max_compressed_bytes = k_huffman_max_decoded_bytes / 8;
+		constexpr std::size_t k_ui_replace_directive_max_len = 0x100;
+		constexpr std::size_t k_party_member_join_max_message_bytes = 0x4000;
+
+		std::size_t bounded_length(const char* value, const std::size_t max_len)
+		{
+			if (!value)
+			{
+				return 0;
+			}
+
+			std::size_t length = 0;
+			while (length < max_len && value[length] != '\0')
+			{
+				++length;
+			}
+
+			return length;
+		}
+
 		std::string build_shortversion_string()
 		{
 			std::string version = VERSION_PRODUCT;
@@ -90,6 +111,85 @@ namespace patches
 			return 1;
 		}
 
+		using cl_parse_server_message_huffman_t = unsigned int(__cdecl*)(int, _DWORD*);
+		utils::hook::detour cl_parse_server_message_huffman_hook;
+		unsigned int __cdecl CL_ParseServerMessage_huffman_guard(int a1, _DWORD* a2)
+		{
+			const auto* const original = reinterpret_cast<cl_parse_server_message_huffman_t>(cl_parse_server_message_huffman_hook.get_original());
+
+			if (!a2)
+			{
+				return original(a1, a2);
+			}
+
+			if (a2[5] < a2[7])
+			{
+				game::Com_Error(
+					(int)".\\cl_parse_mp.cpp",
+					1243,
+					1,
+					(char*)"Huffman compressed msg cursor underflow detected\n");
+				return 0;
+			}
+
+			const auto compressed_bytes = static_cast<std::size_t>(a2[5] - a2[7]);
+			if (compressed_bytes > k_huffman_max_compressed_bytes)
+			{
+				game::Com_Error(
+					(int)".\\cl_parse_mp.cpp",
+					1243,
+					1,
+					(char*)"Huffman compressed msg exceeded safe decode limit (%zu > %zu)\n",
+					compressed_bytes,
+					k_huffman_max_compressed_bytes);
+				return 0;
+			}
+
+			return original(a1, a2);
+		}
+
+		using ui_replace_directive_t = char*(__fastcall*)(int, char*, int, unsigned __int8);
+		utils::hook::detour ui_replace_directive_hook;
+		char* __fastcall UI_ReplaceDirective_guard(int ArgList, char* a2, int a3, unsigned __int8 a4)
+		{
+			const auto* const original = reinterpret_cast<ui_replace_directive_t>(ui_replace_directive_hook.get_original());
+			const auto* const arg_list = reinterpret_cast<const char*>(ArgList);
+			if (bounded_length(arg_list, k_ui_replace_directive_max_len + 1) > k_ui_replace_directive_max_len
+				|| bounded_length(a2, k_ui_replace_directive_max_len + 1) > k_ui_replace_directive_max_len)
+			{
+				game::Com_Printf(0, "UI_ReplaceDirective: rejected oversized directive input\n");
+				return a2;
+			}
+
+			return original(ArgList, a2, a3, a4);
+		}
+
+		using party_atomic_host_handle_member_join_t = int(__cdecl*)(char, _DWORD*, int, __int64, int, _DWORD*);
+		utils::hook::detour party_atomic_host_handle_member_join_hook;
+		int __cdecl PartyAtomicHost_HandleMemberJoin_guard(char a1, _DWORD* a2, int a3, __int64 a4, int a5, _DWORD* a6)
+		{
+			const auto* const original = reinterpret_cast<party_atomic_host_handle_member_join_t>(party_atomic_host_handle_member_join_hook.get_original());
+			if (!a2 || !a6)
+			{
+				return original(a1, a2, a3, a4, a5, a6);
+			}
+
+			if (a6[5] < a6[7])
+			{
+				game::Com_Printf(0, "PartyAtomicHost_HandleMemberJoin: rejected malformed message cursor\n");
+				return 0;
+			}
+
+			const auto unread_bytes = static_cast<std::size_t>(a6[5] - a6[7]);
+			if (unread_bytes > k_party_member_join_max_message_bytes)
+			{
+				game::Com_Printf(0, "PartyAtomicHost_HandleMemberJoin: rejected oversized message (%zu bytes)\n", unread_bytes);
+				return 0;
+			}
+
+			return original(a1, a2, a3, a4, a5, a6);
+		}
+
 		bool dvar_enabled(const char* name)
 		{
 			const auto* const dvar = game::Dvar_FindVar(name);
@@ -497,6 +597,10 @@ namespace patches
 #endif
 			}, scheduler::main);
 
+			cl_parse_server_message_huffman_hook.create(game::game_offset(0x1030D960), CL_ParseServerMessage_huffman_guard);
+			ui_replace_directive_hook.create(game::game_offset(0x102BB870), UI_ReplaceDirective_guard);
+			party_atomic_host_handle_member_join_hook.create(game::game_offset(0x103087B0), PartyAtomicHost_HandleMemberJoin_guard);
+
 			scheduler::loop([]
 			{
 				make_dvar_saved_and_writable("sv_cheats");
