#1176 Fix memory out of bounds memory write when bulk overriding comp…

…onents without this fix, the newly introduced test case would segfault. This bug happens due to the fact that in C you loop count times, but also offset the dest_ptr, and then within the copy impl of C++, it loops count again, this means you would go count-1 * size_obj out of memory bounds for src as well as dest ptr. This fix is the correct fix as it limits src ptr to just 1, while the dest ptr still gets offset each iteration. (this was previously discussed with sanders, the information above is just for tracking why & what)
SanderMertens · Mar 22, 2024 · d246b36 · d246b36
1 parent 87f9ae6
commit d246b36
Show file tree

Hide file tree

Showing 5 changed files with 99 additions and 44 deletions.
diff --git a/flecs.c b/flecs.c
@@ -15148,7 +15148,7 @@ void flecs_override_copy(
     int32_t i;
     if (copy) {
         for (i = 0; i < count; i ++) {
-            copy(ptr, src, count, ti);
+            copy(ptr, src, 1, ti);
             ptr = ECS_OFFSET(ptr, size);
         }
     } else {

diff --git a/src/observable.c b/src/observable.c
@@ -500,7 +500,7 @@ void flecs_override_copy(
     int32_t i;
     if (copy) {
         for (i = 0; i < count; i ++) {
-            copy(ptr, src, count, ti);
+            copy(ptr, src, 1, ti);
             ptr = ECS_OFFSET(ptr, size);
         }
     } else {

diff --git a/test/api/project.json b/test/api/project.json
@@ -1068,7 +1068,8 @@
                 "on_set_hook_on_override",
                 "on_set_hook_on_auto_override",
                 "batched_set_new_component_w_lifecycle",
-                "batched_ensure_new_component_w_lifecycle"
+                "batched_ensure_new_component_w_lifecycle",
+                "on_nested_prefab_copy_test_invokes_copy_count"
             ]
         }, {
             "id": "Sorting",