Unreal Engine Issues

UE-63495

Crash caused by Buffer Overread in TBitArray operator < function

Crash caused by Buffer Overread in TBitArray operator < function

UDN
Description

A licensee has reported a crash that is caused by a Buffer Overread in TBitArray's operator < function. While the licensee did not provide reproduction steps, the crash is apparent from looking at the offending code:

for (uint32 i = NumWords; i != ~0u; i--)
{
    if (Data0[i] != Data1[i])
    {
        return Data0[i] < Data1[i];
    }
}

Since this will cause the first read to go outside of the array, the licensee has suggested that this be fixed by adding a -1 to NumWords on the first line.

Regression?: No
This code was present in 4.19

Steps to Reproduce

No steps were provided, please refer to the description

Callstack
UE4Editor-Engine.dll!FSkeletalMeshLODRenderData::InitResources(bool bNeedsVertexColors, int LODIndex, TArray
  
    & InMorphTargets) Line 325    C++
     UE4Editor-Engine.dll!FSkeletalMeshRenderData::InitResources(bool bNeedsVertexColors, TArray
   
     & InMorphTargets) Line 147    C++
     UE4Editor-Engine.dll!USkeletalMesh::InvalidateRenderData() Line 1164    C++
     UE4Editor-Engine.dll!USkeletalMesh::PostEditChangeProperty(FPropertyChangedEvent & PropertyChangedEvent) Line 782    C++
     UE4Editor-CoreUObject.dll!UObject::PostEditChange() Line 348    C++
     UE4Editor-Engine.dll!USkeletalMesh::RemoveLegacyClothingSections() Line 1350    C++
     UE4Editor-Engine.dll!USkeletalMesh::PostLoad() Line 1494    C++
     UE4Editor-CoreUObject.dll!UObject::ConditionalPostLoad() Line 1009    C++
     UE4Editor-CoreUObject.dll!FAsyncPackage::PostLoadObjects() Line 6287    C++
     UE4Editor-CoreUObject.dll!FAsyncPackage::TickAsyncPackage(bool InbUseTimeLimit, bool InbUseFullTimeLimit, float & InOutTimeLimit, FFlushTree * FlushTree) Line 5551    C++
     UE4Editor-CoreUObject.dll!FAsyncLoadingThread::ProcessAsyncLoading(int & OutPackagesProcessed, bool bUseTimeLimit, bool bUseFullTimeLimit, float TimeLimit, FFlushTree * FlushTree) Line 4472    C++
     UE4Editor-CoreUObject.dll!FAsyncLoadingThread::TickAsyncThread(bool bUseTimeLimit, bool bUseFullTimeLimit, float TimeLimit, bool & bDidSomething, FFlushTree * FlushTree) Line 4985    C++
     UE4Editor-CoreUObject.dll!FAsyncLoadingThread::TickAsyncLoading(bool bUseTimeLimit, bool bUseFullTimeLimit, float TimeLimit, FFlushTree * FlushTree) Line 4720    C++
     UE4Editor-CoreUObject.dll!FlushAsyncLoading(int PackageID) Line 6805    C++

Have Comments or More Details?

There's no existing public thread on this issue, so head over to Questions & Answers just mention UE-63495 in the post.

1
Login to Vote
Fixed
ComponentUE - Foundation - Core
Affects Versions4.194.204.21
Target Fix4.22
Fix Commit4332608
Main Commit4772220
Release Commit4862694
CreatedAug 29, 2018
ResolvedAug 30, 2018
UpdatedFeb 12, 2019
View Jira Issue