Out of bounds access in CStudioModelRenderer::StudioSetupBones

[SamVanheer]

The studio model renderer accesses bone data using an invalid index here:

halflife/cl_dll/StudioModelRenderer.cpp

Line 941 in c7240b9

else if ( !strcmp( pbones[ pbones[i].parent ].name, "Bip01 Pelvis" ) )

Bones that don't have a parent have a parent index of -1. This code thus treats the memory region right before the first bone to be a bone as well. Since the entire model is loaded into a contiguous chunk of memory this is accessing another part of the model and reinterpreting it. This is also why it doesn't crash due to accessing invalid memory.

It is also possible to access out of bounds memory if the parent index is invalid.

This can be fixed by adding bounds checking to that code. Additionally bounds checking in the model loading code can help catch invalid access as well.

[tschumann]

So it should just be changed to: else if ( pbones[i].parent != -1 && !strcmp( pbones[ pbones[i].parent ].name, "Bip01 Pelvis" ) ) Or is there more to it?

[SamVanheer]

You can see how i fixed here: twhl-community/halflife-updated@68bb362